summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk122
-rw-r--r--gnu/packages/acl.scm37
-rw-r--r--gnu/packages/augeas.scm13
-rw-r--r--gnu/packages/autotools.scm109
-rw-r--r--gnu/packages/avahi.scm4
-rw-r--r--gnu/packages/backup.scm66
-rw-r--r--gnu/packages/base.scm227
-rw-r--r--gnu/packages/bdw-gc.scm8
-rw-r--r--gnu/packages/bioinformatics.scm5
-rw-r--r--gnu/packages/bootstrap.scm85
-rw-r--r--gnu/packages/calcurse.scm4
-rw-r--r--gnu/packages/calendar.scm6
-rw-r--r--gnu/packages/check.scm198
-rw-r--r--gnu/packages/chez.scm7
-rw-r--r--gnu/packages/commencement.scm191
-rw-r--r--gnu/packages/compression.scm23
-rw-r--r--gnu/packages/cross-base.scm1
-rw-r--r--gnu/packages/cups.scm10
-rw-r--r--gnu/packages/curl.scm28
-rw-r--r--gnu/packages/databases.scm13
-rw-r--r--gnu/packages/display-managers.scm4
-rw-r--r--gnu/packages/django.scm2
-rw-r--r--gnu/packages/docbook.scm6
-rw-r--r--gnu/packages/documentation.scm3
-rw-r--r--gnu/packages/emacs.scm9
-rw-r--r--gnu/packages/engineering.scm2
-rw-r--r--gnu/packages/file.scm14
-rw-r--r--gnu/packages/fltk.scm3
-rw-r--r--gnu/packages/fontutils.scm33
-rw-r--r--gnu/packages/freedesktop.scm27
-rw-r--r--gnu/packages/games.scm21
-rw-r--r--gnu/packages/gcc.scm100
-rw-r--r--gnu/packages/gettext.scm19
-rw-r--r--gnu/packages/ghostscript.scm59
-rw-r--r--gnu/packages/gl.scm80
-rw-r--r--gnu/packages/glib.scm28
-rw-r--r--gnu/packages/gnome.scm64
-rw-r--r--gnu/packages/gnupg.scm17
-rw-r--r--gnu/packages/gnuzilla.scm7
-rw-r--r--gnu/packages/groff.scm58
-rw-r--r--gnu/packages/gsasl.scm13
-rw-r--r--gnu/packages/gtk.scm39
-rw-r--r--gnu/packages/guile.scm96
-rw-r--r--gnu/packages/haskell.scm9
-rw-r--r--gnu/packages/icu4c.scm19
-rw-r--r--gnu/packages/image-processing.scm2
-rw-r--r--gnu/packages/image-viewers.scm6
-rw-r--r--gnu/packages/image.scm27
-rw-r--r--gnu/packages/java.scm32
-rw-r--r--gnu/packages/kerberos.scm28
-rw-r--r--gnu/packages/libevent.scm17
-rw-r--r--gnu/packages/libidn.scm32
-rw-r--r--gnu/packages/libunistring.scm19
-rw-r--r--gnu/packages/linux.scm209
-rw-r--r--gnu/packages/lisp.scm10
-rw-r--r--gnu/packages/llvm.scm24
-rw-r--r--gnu/packages/lua.scm7
-rw-r--r--gnu/packages/machine-learning.scm6
-rw-r--r--gnu/packages/make-bootstrap.scm53
-rw-r--r--gnu/packages/man.scm4
-rw-r--r--gnu/packages/maths.scm22
-rw-r--r--gnu/packages/multiprecision.scm4
-rw-r--r--gnu/packages/ncurses.scm36
-rw-r--r--gnu/packages/nettle.scm5
-rw-r--r--gnu/packages/networking.scm86
-rw-r--r--gnu/packages/nfs.scm3
-rw-r--r--gnu/packages/node.scm29
-rw-r--r--gnu/packages/ocaml.scm2
-rw-r--r--gnu/packages/onc-rpc.scm49
-rw-r--r--gnu/packages/package-management.scm47
-rw-r--r--gnu/packages/password-utils.scm4
-rw-r--r--gnu/packages/patches/acl-fix-perl-regex.patch22
-rw-r--r--gnu/packages/patches/automake-regexp-syntax.patch34
-rw-r--r--gnu/packages/patches/automake-test-gzip-warning.patch17
-rw-r--r--gnu/packages/patches/avahi-localstatedir.patch4
-rw-r--r--gnu/packages/patches/clang-runtime-asan-build-fixes.patch92
-rw-r--r--gnu/packages/patches/clang-runtime-esan-build-fixes.patch19
-rw-r--r--gnu/packages/patches/clisp-glibc-2.26.patch20
-rw-r--r--gnu/packages/patches/coreutils-cut-huge-range-test.patch33
-rw-r--r--gnu/packages/patches/diffutils-getopt.patch44
-rw-r--r--gnu/packages/patches/docbook-xsl-nonrecursive-string-subst.patch39
-rw-r--r--gnu/packages/patches/findutils-gnulib-multi-core.patch294
-rw-r--r--gnu/packages/patches/fontconfig-remove-debug-printf.patch18
-rw-r--r--gnu/packages/patches/fossil-CVE-2017-17459.patch57
-rw-r--r--gnu/packages/patches/gcc-asan-missing-include.patch (renamed from gnu/packages/patches/gcc-asan-powerpc-missing-include.patch)0
-rw-r--r--gnu/packages/patches/gcc-fix-texi2pod.patch19
-rw-r--r--gnu/packages/patches/gcc-libsanitizer-fix.patch113
-rw-r--r--gnu/packages/patches/gettext-gnulib-multi-core.patch178
-rw-r--r--gnu/packages/patches/gettext-multi-core.patch185
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2017-8291.patch195
-rw-r--r--gnu/packages/patches/glib-respect-datadir.patch21
-rw-r--r--gnu/packages/patches/glibc-CVE-2017-15670-15671.patch27
-rw-r--r--gnu/packages/patches/gpm-glibc-2.26.patch50
-rw-r--r--gnu/packages/patches/grep-gnulib-lock.patch32
-rw-r--r--gnu/packages/patches/gtk2-fix-failing-test.patch39
-rw-r--r--gnu/packages/patches/icecat-glibc-2.26.patch261
-rw-r--r--gnu/packages/patches/icu4c-CVE-2017-14952.patch18
-rw-r--r--gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch164
-rw-r--r--gnu/packages/patches/icu4c-reset-keyword-list-iterator.patch130
-rw-r--r--gnu/packages/patches/jbig2dec-CVE-2016-9601.patch906
-rw-r--r--gnu/packages/patches/jbig2dec-CVE-2017-7885.patch38
-rw-r--r--gnu/packages/patches/jbig2dec-CVE-2017-7975.patch40
-rw-r--r--gnu/packages/patches/jbig2dec-CVE-2017-7976.patch122
-rw-r--r--gnu/packages/patches/jbig2dec-ignore-testtest.patch6
-rw-r--r--gnu/packages/patches/libgnome-encoding.patch16
-rw-r--r--gnu/packages/patches/libgnomeui-utf8.patch51
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-10688.patch92
-rw-r--r--gnu/packages/patches/libtiff-CVE-2017-9936.patch47
-rw-r--r--gnu/packages/patches/libtiff-tiffgetfield-bugs.patch201
-rw-r--r--gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch57
-rw-r--r--gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch43
-rw-r--r--gnu/packages/patches/libtirpc-CVE-2017-8779.patch263
-rw-r--r--gnu/packages/patches/libtirpc-missing-headers.patch40
-rw-r--r--gnu/packages/patches/libunistring-gnulib-multi-core.patch178
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-4658.patch257
-rw-r--r--gnu/packages/patches/libxml2-CVE-2016-5131.patch218
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-0663.patch53
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-15412.patch47
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7375.patch45
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-7376.patch41
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch130
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch319
-rw-r--r--gnu/packages/patches/libxslt-CVE-2016-4738.patch39
-rw-r--r--gnu/packages/patches/libxslt-CVE-2017-5029.patch82
-rw-r--r--gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch200
-rw-r--r--gnu/packages/patches/nfs-utils-missing-headers.patch19
-rw-r--r--gnu/packages/patches/node-test-http2-server-rst-stream.patch131
-rw-r--r--gnu/packages/patches/opencascade-oce-glibc-2.26.patch62
-rw-r--r--gnu/packages/patches/pcre-CVE-2017-7186.patch56
-rw-r--r--gnu/packages/patches/potrace-tests.patch50
-rw-r--r--gnu/packages/patches/python-2.7-adjust-tests.patch22
-rw-r--r--gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch54
-rw-r--r--gnu/packages/patches/python-3-fix-tests.patch149
-rw-r--r--gnu/packages/patches/python-3.5-fix-tests.patch69
-rw-r--r--gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch720
-rw-r--r--gnu/packages/patches/python-unittest2-python3-compat.patch34
-rw-r--r--gnu/packages/patches/python-unittest2-remove-argparse.patch (renamed from gnu/packages/patches/python2-unittest2-remove-argparse.patch)0
-rw-r--r--gnu/packages/patches/tcl-mkindex-deterministic.patch29
-rw-r--r--gnu/packages/patches/valgrind-glibc-compat.patch18
-rw-r--r--gnu/packages/pcre.scm22
-rw-r--r--gnu/packages/pdf.scm32
-rw-r--r--gnu/packages/perl.scm17
-rw-r--r--gnu/packages/photo.scm2
-rw-r--r--gnu/packages/pulseaudio.scm24
-rw-r--r--gnu/packages/python-crypto.scm4
-rw-r--r--gnu/packages/python-web.scm7
-rw-r--r--gnu/packages/python.scm253
-rw-r--r--gnu/packages/rdesktop.scm3
-rw-r--r--gnu/packages/readline.scm117
-rw-r--r--gnu/packages/ruby.scm26
-rw-r--r--gnu/packages/statistics.scm4
-rw-r--r--gnu/packages/tcl.scm43
-rw-r--r--gnu/packages/texinfo.scm20
-rw-r--r--gnu/packages/tls.scm63
-rw-r--r--gnu/packages/valgrind.scm3
-rw-r--r--gnu/packages/version-control.scm6
-rw-r--r--gnu/packages/video.scm13
-rw-r--r--gnu/packages/vulkan.scm189
-rw-r--r--gnu/packages/web.scm2
-rw-r--r--gnu/packages/xdisorg.scm6
-rw-r--r--gnu/packages/xiph.scm11
-rw-r--r--gnu/packages/xml.scm58
-rw-r--r--gnu/packages/xorg.scm48
-rw-r--r--gnu/system.scm2
-rw-r--r--gnu/system/shadow.scm12
165 files changed, 3148 insertions, 7560 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index b72c586e37..9c44b2cc42 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1,5 +1,5 @@
 # GNU Guix --- Functional package management for GNU
-# Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+# Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 # Copyright © 2013, 2014, 2015, 2016, 2017 Andreas Enge <andreas@enge.fr>
 # Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 # Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
@@ -422,6 +422,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/vim.scm				\
   %D%/packages/virtualization.scm		\
   %D%/packages/vpn.scm				\
+  %D%/packages/vulkan.scm			\
   %D%/packages/w3m.scm				\
   %D%/packages/wdiff.scm			\
   %D%/packages/web.scm				\
@@ -535,6 +536,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/a2ps-CVE-2014-0466.patch	\
   %D%/packages/patches/abiword-explictly-cast-bools.patch	\
   %D%/packages/patches/abiword-black-drawing-with-gtk322.patch	\
+  %D%/packages/patches/acl-fix-perl-regex.patch		\
   %D%/packages/patches/acl-hurd-path-max.patch			\
   %D%/packages/patches/aegis-constness-error.patch         	\
   %D%/packages/patches/aegis-perl-tempdir1.patch           	\
@@ -552,8 +554,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/ath9k-htc-firmware-objcopy.patch		\
   %D%/packages/patches/audacity-build-with-system-portaudio.patch \
   %D%/packages/patches/automake-skip-amhello-tests.patch	\
-  %D%/packages/patches/automake-regexp-syntax.patch		\
-  %D%/packages/patches/automake-test-gzip-warning.patch		\
   %D%/packages/patches/avahi-localstatedir.patch		\
   %D%/packages/patches/avidemux-install-to-lib.patch		\
   %D%/packages/patches/awesome-reproducible-png.patch		\
@@ -578,7 +578,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/chmlib-inttypes.patch			\
   %D%/packages/patches/clang-libc-search-path.patch		\
   %D%/packages/patches/clang-3.8-libc-search-path.patch		\
+  %D%/packages/patches/clang-runtime-asan-build-fixes.patch	\
+  %D%/packages/patches/clang-runtime-esan-build-fixes.patch	\
   %D%/packages/patches/clementine-use-openssl.patch		\
+  %D%/packages/patches/clisp-glibc-2.26.patch			\
   %D%/packages/patches/clisp-remove-failing-test.patch		\
   %D%/packages/patches/clucene-pkgconfig.patch			\
   %D%/packages/patches/clx-remove-demo.patch			\
@@ -588,7 +591,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/cool-retro-term-fix-array-size.patch	\
   %D%/packages/patches/cool-retro-term-memory-leak-1.patch	\
   %D%/packages/patches/cool-retro-term-remove-non-free-fonts.patch	\
-  %D%/packages/patches/coreutils-cut-huge-range-test.patch	\
   %D%/packages/patches/cpio-CVE-2016-2037.patch			\
   %D%/packages/patches/cpufrequtils-fix-aclocal.patch		\
   %D%/packages/patches/cracklib-CVE-2016-6318.patch		\
@@ -607,6 +609,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/deja-dup-use-ref-keyword-for-iter.patch	\
   %D%/packages/patches/dfu-programmer-fix-libusb.patch		\
   %D%/packages/patches/diffutils-gets-undeclared.patch		\
+  %D%/packages/patches/diffutils-getopt.patch			\
+  %D%/packages/patches/docbook-xsl-nonrecursive-string-subst.patch	\
   %D%/packages/patches/doc++-include-directives.patch		\
   %D%/packages/patches/doc++-segfault-fix.patch			\
   %D%/packages/patches/doxygen-test.patch			\
@@ -637,14 +641,13 @@ dist_patch_DATA =						\
   %D%/packages/patches/fcgi-2.4.0-poll.patch			\
   %D%/packages/patches/file-CVE-2017-1000249.patch		\
   %D%/packages/patches/findutils-localstatedir.patch		\
-  %D%/packages/patches/findutils-gnulib-multi-core.patch	\
   %D%/packages/patches/findutils-test-xargs.patch		\
   %D%/packages/patches/flint-ldconfig.patch			\
   %D%/packages/patches/fltk-shared-lib-defines.patch		\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
   %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch	\
   %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch	\
-  %D%/packages/patches/fossil-CVE-2017-17459.patch		\
+  %D%/packages/patches/fontconfig-remove-debug-printf.patch	\
   %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
   %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch	\
@@ -652,8 +655,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/gawk-shell.patch				\
   %D%/packages/patches/gcc-arm-bug-71399.patch			\
   %D%/packages/patches/gcc-arm-link-spec-fix.patch		\
-  %D%/packages/patches/gcc-asan-powerpc-missing-include.patch	\
+  %D%/packages/patches/gcc-asan-missing-include.patch		\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
+  %D%/packages/patches/gcc-fix-texi2pod.patch			\
+  %D%/packages/patches/gcc-libsanitizer-fix.patch		\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-strmov-store-file-names.patch	\
   %D%/packages/patches/gcc-4-compile-with-gcc-5.patch		 \
@@ -673,10 +678,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/gemma-intel-compat.patch			\
   %D%/packages/patches/geoclue-config.patch			\
-  %D%/packages/patches/gettext-multi-core.patch          	\
-  %D%/packages/patches/gettext-gnulib-multi-core.patch          \
   %D%/packages/patches/ghc-dont-pass-linker-flags-via-response-files.patch	\
-  %D%/packages/patches/ghostscript-CVE-2017-8291.patch		\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
@@ -687,6 +689,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gimp-CVE-2017-17787.patch		\
   %D%/packages/patches/gimp-CVE-2017-17789.patch		\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
+  %D%/packages/patches/glib-respect-datadir.patch		\
   %D%/packages/patches/glib-tests-timer.patch			\
   %D%/packages/patches/glibc-CVE-2015-5180.patch		\
   %D%/packages/patches/glibc-CVE-2015-7547.patch		\
@@ -696,7 +699,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch		\
   %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch		\
   %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch		\
-  %D%/packages/patches/glibc-CVE-2017-15670-15671.patch		\
   %D%/packages/patches/glibc-bootstrap-system.patch		\
   %D%/packages/patches/glibc-ldd-x86_64.patch			\
   %D%/packages/patches/glibc-locales.patch			\
@@ -715,8 +717,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
   %D%/packages/patches/gobject-introspection-cc.patch		\
   %D%/packages/patches/gobject-introspection-girepository.patch	\
+  %D%/packages/patches/gpm-glibc-2.26.patch			\
   %D%/packages/patches/graphite2-ffloat-store.patch		\
-  %D%/packages/patches/grep-gnulib-lock.patch                   \
   %D%/packages/patches/grep-timing-sensitive-test.patch		\
   %D%/packages/patches/groff-source-date-epoch.patch		\
   %D%/packages/patches/gsl-test-i686.patch			\
@@ -732,6 +734,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch	\
   %D%/packages/patches/gtk2-respect-GUIX_GTK2_IM_MODULE_FILE.patch \
   %D%/packages/patches/gtk2-theme-paths.patch			\
+  %D%/packages/patches/gtk2-fix-failing-test.patch		\
   %D%/packages/patches/gtk3-respect-GUIX_GTK3_PATH.patch	\
   %D%/packages/patches/gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch \
   %D%/packages/patches/gtkglext-disable-disable-deprecated.patch \
@@ -760,9 +763,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/icecat-bug-1414945.patch			\
   %D%/packages/patches/icecat-bug-1424373-pt2.patch		\
   %D%/packages/patches/icecat-bug-1427870-spectre-mitigation.patch	\
-  %D%/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch	\
-  %D%/packages/patches/icu4c-CVE-2017-14952.patch		\
-  %D%/packages/patches/icu4c-reset-keyword-list-iterator.patch	\
+  %D%/packages/patches/icecat-glibc-2.26.patch			\
   %D%/packages/patches/id3lib-CVE-2007-4460.patch			\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
   %D%/packages/patches/intltool-perl-compatibility.patch	\
@@ -771,10 +772,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/java-powermock-fix-java-files.patch		\
   %D%/packages/patches/jemalloc-arm-address-bits.patch		\
   %D%/packages/patches/jbig2dec-ignore-testtest.patch		\
-  %D%/packages/patches/jbig2dec-CVE-2016-9601.patch		\
-  %D%/packages/patches/jbig2dec-CVE-2017-7885.patch		\
-  %D%/packages/patches/jbig2dec-CVE-2017-7975.patch		\
-  %D%/packages/patches/jbig2dec-CVE-2017-7976.patch		\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
   %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
   %D%/packages/patches/khmer-use-libraries.patch                \
@@ -822,6 +819,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libgit2-0.25.1-mtime-0.patch		\
   %D%/packages/patches/libgdata-fix-tests.patch			\
   %D%/packages/patches/libgdata-glib-duplicate-tests.patch	\
+  %D%/packages/patches/libgnome-encoding.patch			\
+  %D%/packages/patches/libgnomeui-utf8.patch			\
   %D%/packages/patches/libgxps-CVE-2017-11590.patch		\
   %D%/packages/patches/libffi-3.2.1-complex-alpha.patch		\
   %D%/packages/patches/libjxr-fix-function-signature.patch	\
@@ -843,14 +842,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtasn1-CVE-2017-10790.patch		\
   %D%/packages/patches/libtheora-config-guess.patch		\
-  %D%/packages/patches/libtiff-CVE-2016-10688.patch		\
-  %D%/packages/patches/libtiff-CVE-2017-9936.patch		\
-  %D%/packages/patches/libtiff-tiffgetfield-bugs.patch		\
-  %D%/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch	\
-  %D%/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch	\
-  %D%/packages/patches/libtirpc-CVE-2017-8779.patch		\
+  %D%/packages/patches/libtirpc-missing-headers.patch		\
   %D%/packages/patches/libtool-skip-tests2.patch		\
-  %D%/packages/patches/libunistring-gnulib-multi-core.patch	\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
   %D%/packages/patches/libvdpau-va-gl-unbundle.patch		\
@@ -858,17 +851,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libvorbis-CVE-2017-14633.patch		\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
-  %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
-  %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-0663.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-7375.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-7376.patch		\
-  %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch	\
-  %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch	\
-  %D%/packages/patches/libxml2-CVE-2017-15412.patch		\
   %D%/packages/patches/libxslt-generated-ids.patch		\
-  %D%/packages/patches/libxslt-CVE-2016-4738.patch		\
-  %D%/packages/patches/libxslt-CVE-2017-5029.patch		\
   %D%/packages/patches/libxt-guix-search-paths.patch		\
   %D%/packages/patches/lierolibre-check-unaligned-access.patch	\
   %D%/packages/patches/lierolibre-is-free-software.patch	\
@@ -919,15 +902,14 @@ dist_patch_DATA =						\
   %D%/packages/patches/mupdf-build-with-latest-openjpeg.patch	\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
   %D%/packages/patches/mutt-store-references.patch		\
-  %D%/packages/patches/ncurses-CVE-2017-10684-10685.patch	\
   %D%/packages/patches/net-tools-bitrot.patch			\
   %D%/packages/patches/netcdf-date-time.patch			\
   %D%/packages/patches/netcdf-tst_h_par.patch			\
   %D%/packages/patches/netsurf-system-utf8proc.patch		\
   %D%/packages/patches/netsurf-y2038-tests.patch		\
   %D%/packages/patches/netsurf-longer-test-timeout.patch	\
+  %D%/packages/patches/nfs-utils-missing-headers.patch		\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
-  %D%/packages/patches/node-test-http2-server-rst-stream.patch	\
   %D%/packages/patches/nss-increase-test-timeout.patch		\
   %D%/packages/patches/nss-pkgconfig.patch			\
   %D%/packages/patches/nvi-assume-preserve-path.patch		\
@@ -941,11 +923,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/ocaml-graph-honor-source-date-epoch.patch	\
   %D%/packages/patches/omake-fix-non-determinism.patch	\
   %D%/packages/patches/ola-readdir-r.patch			\
-  %D%/packages/patches/openscenegraph-ffmpeg3.patch             \
+  %D%/packages/patches/opencascade-oce-glibc-2.26.patch		\
   %D%/packages/patches/openexr-missing-samples.patch		\
   %D%/packages/patches/openfoam-4.1-cleanup.patch			\
   %D%/packages/patches/openldap-CVE-2017-9287.patch		\
   %D%/packages/patches/openocd-nrf52.patch			\
+  %D%/packages/patches/openscenegraph-ffmpeg3.patch             \
   %D%/packages/patches/openssl-runpath.patch			\
   %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
@@ -961,7 +944,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/patchutils-xfail-gendiff-tests.patch	\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/pcmanfm-CVE-2017-8934.patch		\
-  %D%/packages/patches/pcre-CVE-2017-7186.patch			\
   %D%/packages/patches/pcre2-CVE-2017-7186.patch		\
   %D%/packages/patches/pcre2-CVE-2017-8786.patch		\
   %D%/packages/patches/perl-file-path-CVE-2017-6512.patch	\
@@ -993,6 +975,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/policycoreutils-make-sepolicy-use-python3.patch	\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
+  %D%/packages/patches/potrace-tests.patch			\
   %D%/packages/patches/procmail-ambiguous-getline-debian.patch  \
   %D%/packages/patches/procmail-CVE-2014-3618.patch		\
   %D%/packages/patches/procmail-CVE-2017-16844.patch		\
@@ -1009,14 +992,13 @@ dist_patch_DATA =						\
   %D%/packages/patches/pygpgme-disable-problematic-tests.patch  \
   %D%/packages/patches/pyqt-configure.patch			\
   %D%/packages/patches/python-2-deterministic-build-info.patch	\
-  %D%/packages/patches/python-2.7-getentropy-on-old-kernels.patch	\
+  %D%/packages/patches/python-2.7-adjust-tests.patch		\
   %D%/packages/patches/python-2.7-search-paths.patch		\
   %D%/packages/patches/python-2.7-site-prefixes.patch		\
   %D%/packages/patches/python-2.7-source-date-epoch.patch	\
   %D%/packages/patches/python-3-deterministic-build-info.patch	\
   %D%/packages/patches/python-3-search-paths.patch		\
-  %D%/packages/patches/python-3.5-fix-tests.patch		\
-  %D%/packages/patches/python-3.5-getentropy-on-old-kernels.patch	\
+  %D%/packages/patches/python-3-fix-tests.patch			\
   %D%/packages/patches/python-dendropy-fix-tests.patch		\
   %D%/packages/patches/python-fix-tests.patch			\
   %D%/packages/patches/python-genshi-add-support-for-python-3.4-AST.patch	\
@@ -1043,7 +1025,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
   %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch	\
   %D%/packages/patches/python2-subprocess32-disable-input-test.patch	\
-  %D%/packages/patches/python2-unittest2-remove-argparse.patch \
+  %D%/packages/patches/python-unittest2-python3-compat.patch	\
+  %D%/packages/patches/python-unittest2-remove-argparse.patch	\
   %D%/packages/patches/qemu-CVE-2017-15038.patch		\
   %D%/packages/patches/qemu-CVE-2017-15289.patch		\
   %D%/packages/patches/qt4-ldflags.patch			\
@@ -1096,7 +1079,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/t1lib-CVE-2011-1552+.patch		\
   %D%/packages/patches/tar-CVE-2016-6321.patch			\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
-  %D%/packages/patches/tcl-mkindex-deterministic.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
   %D%/packages/patches/tcsh-fix-autotest.patch			\
   %D%/packages/patches/tcsh-fix-out-of-bounds-read.patch	\
@@ -1134,6 +1116,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/util-linux-tests.patch			\
   %D%/packages/patches/upower-builddir.patch			\
   %D%/packages/patches/valgrind-enable-arm.patch		\
+  %D%/packages/patches/valgrind-glibc-compat.patch		\
   %D%/packages/patches/vinagre-revert-1.patch                   \
   %D%/packages/patches/vinagre-revert-2.patch                   \
   %D%/packages/patches/virglrenderer-CVE-2017-6386.patch 	\
@@ -1225,56 +1208,7 @@ dist_bootstrap_mips64el_linux_DATA =		\
   %D%/packages/bootstrap/mips64el-linux/tar	\
   %D%/packages/bootstrap/mips64el-linux/xz
 
-# Big bootstrap binaries are not included in the tarball.  Instead, they
-# are downloaded.
-nodist_bootstrap_x86_64_linux_DATA =					\
-  %D%/packages/bootstrap/x86_64-linux/guile-2.0.9.tar.xz
-nodist_bootstrap_i686_linux_DATA =					\
-  %D%/packages/bootstrap/i686-linux/guile-2.0.9.tar.xz
-nodist_bootstrap_armhf_linux_DATA =					\
-  %D%/packages/bootstrap/armhf-linux/guile-2.0.11.tar.xz
-nodist_bootstrap_aarch64_linux_DATA =					\
-  %D%/packages/bootstrap/aarch64-linux/guile-2.0.14.tar.xz
-nodist_bootstrap_mips64el_linux_DATA =					\
-  %D%/packages/bootstrap/mips64el-linux/guile-2.0.9.tar.xz
-
 # Those files must remain executable, so they remain executable once
 # imported into the store.
 set-bootstrap-executable-permissions:
 	chmod +x $(DESTDIR)$(bootstrapdir)/*/{bash,mkdir,tar,xz}
-
-BOOTSTRAP_GUILE_TARBALLS =			\
-  $(nodist_bootstrap_x86_64_linux_DATA)		\
-  $(nodist_bootstrap_i686_linux_DATA)		\
-  $(nodist_bootstrap_armhf_linux_DATA)		\
-  $(nodist_bootstrap_aarch64_linux_DATA)	\
-  $(nodist_bootstrap_mips64el_linux_DATA)
-
-DISTCLEANFILES = $(BOOTSTRAP_GUILE_TARBALLS)
-
-# Method to download a file from an external source.
-DOWNLOAD_FILE =								\
-  GUILE_LOAD_COMPILED_PATH="$(top_builddir):$$GUILE_LOAD_COMPILED_PATH"	\
-  $(GUILE) --no-auto-compile -L "$(top_builddir)" -L "$(top_srcdir)"	\
-           "$(top_srcdir)/build-aux/download.scm"
-
-%D%/packages/bootstrap/x86_64-linux/guile-2.0.9.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "037b103522a2d0d7d69c7ffd8de683dfe5bb4b59c1fafd70b4ffd397fd2f57f0"
-%D%/packages/bootstrap/i686-linux/guile-2.0.9.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "b757cd46bf13ecac83fb8e955fb50096ac2d17bb610ca8eb816f29302a00a846"
-%D%/packages/bootstrap/armhf-linux/guile-2.0.11.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "e551d05d4d385d6706ab8d574856a087758294dc90ab4c06e70a157a685e23d6"
-%D%/packages/bootstrap/aarch64-linux/guile-2.0.14.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@"			\
-	  "3939909f24dcb955621aa7f81ecde6844bea8a083969c2d275c55699af123ebe"
-%D%/packages/bootstrap/mips64el-linux/guile-2.0.9.tar.xz:
-	$(AM_V_DL)$(MKDIR_P) `dirname "$@"`;	\
-	$(DOWNLOAD_FILE) "$@" 			\
-	  "994680f0001346864aa2c2cc5110f380ee7518dcd701c614291682b8e948f73b"
diff --git a/gnu/packages/acl.scm b/gnu/packages/acl.scm
index ae6764993b..66e4c33fcc 100644
--- a/gnu/packages/acl.scm
+++ b/gnu/packages/acl.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -41,22 +42,32 @@
       (sha256
        (base32
         "08qd9s3wfhv0ajswsylnfwr5h0d7j9d4rgip855nrh400nxp940p"))
-      (patches (search-patches "acl-hurd-path-max.patch"))))
+      (patches (search-patches "acl-fix-perl-regex.patch"
+                               "acl-hurd-path-max.patch"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f   ; FIXME: Investigate test suite failures
-       #:test-target "tests"
+     `(#:test-target "tests"
        #:phases
-        (alist-cons-after
-         'build 'patch-exec-bin-sh
-         (lambda _
-           (substitute* "test/run"
-             (("/bin/sh") (which "sh"))))
-         (alist-replace
-          'install
-          (lambda _
-            (zero? (system* "make" "install" "install-lib" "install-dev")))
-          %standard-phases))))
+       (modify-phases %standard-phases
+         (add-after 'build 'patch-exec-bin-sh
+           (lambda _
+             (substitute* "test/run"
+               (("/bin/sh") (which "sh")))
+             #t))
+         (add-before 'check 'patch-tests
+           (lambda _
+             ;; The coreutils do not have an ACL bit to remove from their
+             ;; output, so the sed expression that removes the bit is disabled.
+             (substitute* "test/sbits-restore.test"
+                          (("\\| sed.*'") ""))
+             ;; These tests require the existence of a user named "bin", but
+             ;; this user does not exist within Guix's build environment.
+             (for-each (lambda (file)
+                         (delete-file (string-append "test/" file)))
+                       '("setfacl-X.test" "cp.test" "misc.test"))))
+         (replace 'install
+           (lambda _
+             (zero? (system* "make" "install" "install-lib" "install-dev")))))))
     (inputs `(("attr" ,attr)))
     (native-inputs
      `(("gettext" ,gettext-minimal)
diff --git a/gnu/packages/augeas.scm b/gnu/packages/augeas.scm
index 077105155c..6939e4147f 100644
--- a/gnu/packages/augeas.scm
+++ b/gnu/packages/augeas.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -38,7 +39,17 @@
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1yf93fqwav1zsl8dpyfkf0g11w05mmfckqy6qsjy5zkklnspbkv5"))))
+                "1yf93fqwav1zsl8dpyfkf0g11w05mmfckqy6qsjy5zkklnspbkv5"))
+              (modules '((guix build utils)))
+              (snippet
+               '(begin
+                  ;; The gnulib test-lock test is prone to writer starvation
+                  ;; with our glibc@2.25, which prefers readers, so disable it.
+                  ;; The gnulib commit b20e8afb0b2 should fix this once
+                  ;; incorporated here.
+                  (substitute* "gnulib/tests/Makefile.in"
+                    (("test-lock\\$\\(EXEEXT\\) ") ""))
+                  #t))))
     (build-system gnu-build-system)
     ;; Marked as "required" in augeas.pc
     (propagated-inputs
diff --git a/gnu/packages/autotools.scm b/gnu/packages/autotools.scm
index 68c30ad563..355e66f42a 100644
--- a/gnu/packages/autotools.scm
+++ b/gnu/packages/autotools.scm
@@ -239,21 +239,18 @@ output is indexed in many ways to simplify browsing.")
     (license gpl3+)))
 
 (define-public automake
-  ;; Replace with 'automake/latest' on the next rebuild cycle.
   (package
     (name "automake")
-    (version "1.15")
+    (version "1.15.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/automake/automake-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0dl6vfi2lzz8alnklwxzfz624b95hb1ipjvd3mk177flmddcf24r"))
+               "1bzd9g32dfm4rsbw93ld9x7b5nc1y6i4m6zp032qf1i28a8s6sxg"))
              (patches
-              (search-patches "automake-regexp-syntax.patch"
-                              "automake-skip-amhello-tests.patch"
-                              "automake-test-gzip-warning.patch"))))
+              (search-patches "automake-skip-amhello-tests.patch"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("autoconf" ,(autoconf-wrapper))
@@ -268,47 +265,47 @@ output is indexed in many ways to simplify browsing.")
                   (srfi srfi-1)
                   (srfi srfi-26)
                   (rnrs io ports))
-       #:phases (alist-cons-before
-                 'patch-source-shebangs 'patch-tests-shebangs
-                 (lambda _
-                   (let ((sh (which "sh")))
-                     (substitute* (find-files "t" "\\.(sh|tap)$")
-                       (("#![[:blank:]]?/bin/sh")
-                        (string-append "#!" sh)))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'patch-source-shebangs 'patch-tests-shebangs
+           (lambda _
+             (let ((sh (which "sh")))
+               (substitute* (find-files "t" "\\.(sh|tap)$")
+                 (("#![[:blank:]]?/bin/sh")
+                  (string-append "#!" sh)))
 
-                     ;; Set these variables for all the `configure' runs
-                     ;; that occur during the test suite.
-                     (setenv "SHELL" sh)
-                     (setenv "CONFIG_SHELL" sh)))
+               ;; Set these variables for all the `configure' runs
+               ;; that occur during the test suite.
+               (setenv "SHELL" sh)
+               (setenv "CONFIG_SHELL" sh)
+               #t)))
 
-                 ;; Files like `install-sh', `mdate.sh', etc. must use
-                 ;; #!/bin/sh, otherwise users could leak erroneous shebangs
-                 ;; in the wild.  See <http://bugs.gnu.org/14201> for an
-                 ;; example.
-                 (alist-cons-after
-                  'install 'unpatch-shebangs
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    (let* ((out (assoc-ref outputs "out"))
-                           (dir (string-append out "/share")))
-                      (define (starts-with-shebang? file)
-                        (equal? (call-with-input-file file
-                                  (lambda (p)
-                                    (list (get-u8 p) (get-u8 p))))
-                                (map char->integer '(#\# #\!))))
+           ;; Files like `install-sh', `mdate.sh', etc. must use
+           ;; #!/bin/sh, otherwise users could leak erroneous shebangs
+           ;; in the wild.  See <http://bugs.gnu.org/14201> for an
+           ;; example.
+           (add-after 'install 'unpatch-shebangs
+             (lambda* (#:key outputs #:allow-other-keys)
+               (let* ((out (assoc-ref outputs "out"))
+                      (dir (string-append out "/share")))
+                 (define (starts-with-shebang? file)
+                   (equal? (call-with-input-file file
+                             (lambda (p)
+                               (list (get-u8 p) (get-u8 p))))
+                           (map char->integer '(#\# #\!))))
 
-                      (for-each (lambda (file)
-                                  (when (and (starts-with-shebang? file)
-                                             (executable-file? file))
-                                    (format #t "restoring shebang on `~a'~%"
-                                            file)
-                                    (substitute* file
-                                      (("^#!.*/bin/sh")
-                                       "#!/bin/sh")
-                                      (("^#!.*/bin/env(.*)$" _ args)
-                                       (string-append "#!/usr/bin/env"
-                                                      args)))))
-                                (find-files dir ".*"))))
-                  %standard-phases))))
+                 (for-each (lambda (file)
+                             (when (and (starts-with-shebang? file)
+                                        (executable-file? file))
+                               (format #t "restoring shebang on `~a'~%"
+                                       file)
+                               (substitute* file
+                                 (("^#!.*/bin/sh")
+                                  "#!/bin/sh")
+                                 (("^#!.*/bin/env(.*)$" _ args)
+                                  (string-append "#!/usr/bin/env"
+                                                 args)))))
+                           (find-files dir ".*"))))))))
     (home-page "https://www.gnu.org/software/automake/")
     (synopsis "Making GNU standards-compliant Makefiles")
     (description
@@ -318,22 +315,6 @@ intuitive format and then Automake works with Autoconf to produce a robust
 Makefile, simplifying the entire process for the developer.")
     (license gpl2+)))                      ; some files are under GPLv3+
 
-
-(define-public automake/latest
-  ;; Merge with 'automake' on the next rebuild cycle.
-  (package
-    (inherit automake)
-    (version "1.15.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/automake/automake-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1bzd9g32dfm4rsbw93ld9x7b5nc1y6i4m6zp032qf1i28a8s6sxg"))
-              (patches
-               (search-patches "automake-skip-amhello-tests.patch"))))))
-
 (define-public libtool
   (package
     (name "libtool")
@@ -411,11 +392,9 @@ complexity of working with shared libraries across platforms.")
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--enable-ltdl-install") ;really install it
-       #:phases (alist-cons-before
-                 'configure 'change-directory
-                 (lambda _
-                   (chdir "libltdl"))
-                 %standard-phases)))
+       #:phases (modify-phases %standard-phases
+                  (add-before 'configure 'change-directory
+                    (lambda _ (chdir "libltdl") #t)))))
 
     (synopsis "System-independent dlopen wrapper of GNU libtool")
     (description (package-description libtool))
diff --git a/gnu/packages/avahi.scm b/gnu/packages/avahi.scm
index 73e63ab0dc..94af0a1be3 100644
--- a/gnu/packages/avahi.scm
+++ b/gnu/packages/avahi.scm
@@ -33,7 +33,7 @@
 (define-public avahi
   (package
     (name "avahi")
-    (version "0.6.31")
+    (version "0.7")
     (home-page "http://avahi.org")
     (source (origin
              (method url-fetch)
@@ -41,7 +41,7 @@
                                  version ".tar.gz"))
              (sha256
               (base32
-               "0j5b5ld6bjyh3qhd2nw0jb84znq0wqai7fsrdzg7bpg24jdp2wl3"))
+               "0128n7jlshw4bpx0vg8lwj8qwdisjxi7mvniwfafgnkzzrfrpaap"))
              (patches (search-patches "avahi-localstatedir.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index a494a04047..61d4acaefc 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;;
@@ -190,16 +191,17 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (replacement libarchive-3.3.2)
-    (version "3.3.1")
+    (version "3.3.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
+       (patches (search-patches "libarchive-CVE-2017-14166.patch"
+                                "libarchive-CVE-2017-14502.patch"))
        (sha256
         (base32
-         "1rr40hxlm9vy5z2zb5w7pyfkgd1a4s061qapm83s19accb8mpji9"))))
+         "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
@@ -211,26 +213,25 @@ backups (called chunks) to allow easy burning to CD/DVD.")
        ("xz" ,xz)))
     (arguments
      `(#:phases
-       (alist-cons-before
-        'build 'patch-pwd
-        (lambda _
-          (substitute* "Makefile"
-            (("/bin/pwd") (which "pwd"))))
-        (alist-replace
-         'check
-         (lambda _
-           ;; XXX: The test_owner_parse, test_read_disk, and
-           ;; test_write_disk_lookup tests expect user 'root' to exist, but
-           ;; the chroot's /etc/passwd doesn't have it.  Turn off those tests.
-           ;;
-           ;; The tests allow one to disable tests matching a globbing pattern.
-           (and (zero? (system* "make"
-                                "libarchive_test" "bsdcpio_test" "bsdtar_test"))
-                ;; XXX: This glob disables too much.
-                (zero? (system* "./libarchive_test" "^test_*_disk*"))
-                (zero? (system* "./bsdcpio_test" "^test_owner_parse"))
-                (zero? (system* "./bsdtar_test"))))
-         %standard-phases))
+       (modify-phases %standard-phases
+         (add-before 'build 'patch-pwd
+           (lambda _
+             (substitute* "Makefile"
+               (("/bin/pwd") (which "pwd")))
+             #t))
+         (replace 'check
+           (lambda _
+             ;; XXX: The test_owner_parse, test_read_disk, and
+             ;; test_write_disk_lookup tests expect user 'root' to exist, but
+             ;; the chroot's /etc/passwd doesn't have it.  Turn off those tests.
+             ;;
+             ;; The tests allow one to disable tests matching a globbing pattern.
+             (and (zero? (system* "make"
+                                  "libarchive_test" "bsdcpio_test" "bsdtar_test"))
+                  ;; XXX: This glob disables too much.
+                  (zero? (system* "./libarchive_test" "^test_*_disk*"))
+                  (zero? (system* "./bsdcpio_test" "^test_owner_parse"))
+                  (zero? (system* "./bsdtar_test"))))))
        ;; libarchive/test/test_write_format_gnutar_filenames.c needs to be
        ;; compiled with C99 or C11 or a gnu variant.
        #:configure-flags '("CFLAGS=-O2 -g -std=c99")))
@@ -246,21 +247,6 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
-(define libarchive-3.3.2
-  (package
-    (inherit libarchive)
-    (version "3.3.2")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "http://libarchive.org/downloads/libarchive-"
-                           version ".tar.gz"))
-       (patches (search-patches "libarchive-CVE-2017-14166.patch"
-                                "libarchive-CVE-2017-14502.patch"))
-       (sha256
-        (base32
-         "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))))
-
 (define-public rdup
   (package
     (name "rdup")
@@ -551,9 +537,7 @@ detection, and lossless compression.")
     (native-inputs
      `(("python-cython" ,python-cython)
        ("python-setuptools-scm" ,python-setuptools-scm)
-       ;; Borg >=1.0.8's test suite uses 'tmpdir_factory', which was introduced
-       ;; in pytest 2.8.
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ;; For generating the documentation.
        ("python-sphinx" ,python-sphinx)
        ("python-guzzle-sphinx-theme" ,python-guzzle-sphinx-theme)))
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 5fcfc90e56..92acbd3640 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -10,6 +10,7 @@
 ;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -82,16 +83,15 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "3.0")
+   (version "3.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1dcasjp3a578nrvzrcn38mpizb8w1q6mvfzhjmcqqgkf0nsivj72"))
-            (patches (search-patches "grep-timing-sensitive-test.patch"
-                                     "grep-gnulib-lock.patch"))))
+              "0zm0ywmyz9g8vn1plw14mn8kj74yipx5qsljndbyfgmvndx5qqnv"))
+            (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
    (inputs `(("pcre" ,pcre)))
@@ -240,7 +240,8 @@ differences.")
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1mivg0fy3a6fcn535ln8nkgfj6vxh5hsxxs5h6692wxmsjyyh8fn"))))
+              "1mivg0fy3a6fcn535ln8nkgfj6vxh5hsxxs5h6692wxmsjyyh8fn"))
+            (patches (search-patches "diffutils-getopt.patch"))))
    (build-system gnu-build-system)
    (synopsis "Comparing and merging files")
    (description
@@ -265,11 +266,17 @@ interactive means to merge two files.")
               "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y"))
             (patches (search-patches
                       "findutils-localstatedir.patch"
-                      "findutils-test-xargs.patch"
-                      ;; test-lock has performance issues on multi-core
-                      ;; machines, it hangs or takes a long time to complete.
-                      ;; This is a commit from gnulib to fix this issue.
-                      "findutils-gnulib-multi-core.patch"))))
+                      "findutils-test-xargs.patch"))
+            (modules '((guix build utils)))
+            (snippet
+             '(begin
+                ;; The gnulib test-lock test is prone to writer starvation
+                ;; with our glibc@2.25, which prefers readers, so disable it.
+                ;; The gnulib commit b20e8afb0b2 should fix this once
+                ;; incorporated here.
+                (substitute* "tests/Makefile.in"
+                  (("test-lock\\$\\(EXEEXT\\) ") ""))
+                #t))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags (list
@@ -295,15 +302,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.27")
+   (version "8.28")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0sv547572iq8ayy8klir4hnngnx92a9nsazmf1wgzfc7xr4x74c8"))
-            (patches (search-patches "coreutils-cut-huge-range-test.patch"))))
+              "0r8c1bgm68kl70j1lgd0rv12iykw6143k4m9a56xip9rc2hv25qi"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -324,21 +330,24 @@ used to apply commands with arbitrarily long arguments.")
    (outputs '("out" "debug"))
    (arguments
     `(#:parallel-build? #f            ; help2man may be called too early
-      #:phases (alist-cons-before
-                'build 'patch-shell-references
-                (lambda* (#:key inputs #:allow-other-keys)
-                  (let ((bash (assoc-ref inputs "bash")))
-                    ;; 'split' uses either $SHELL or /bin/sh.  Set $SHELL so
-                    ;; that tests pass, since /bin/sh isn't in the chroot.
-                    (setenv "SHELL" (which "sh"))
-
-                    (substitute* (find-files "gnulib-tests" "\\.c$")
-                      (("/bin/sh")
-                       (format #f "~a/bin/sh" bash)))
-                    (substitute* (find-files "tests" "\\.sh$")
-                      (("#!/bin/sh")
-                       (format #f "#!~a/bin/sh" bash)))))
-                %standard-phases)))
+      #:phases (modify-phases %standard-phases
+                 (add-before 'build 'patch-shell-references
+                   (lambda _
+                     ;; 'split' uses either $SHELL or /bin/sh.  Set $SHELL so
+                     ;; that tests pass, since /bin/sh isn't in the chroot.
+                     (setenv "SHELL" (which "sh"))
+
+                     (substitute* (find-files "gnulib-tests" "\\.c$")
+                       (("/bin/sh") (which "sh")))
+                     (substitute* (find-files "tests" "\\.sh$")
+                       (("#!/bin/sh") (which "sh")))
+                     #t)))
+
+      ;; Work around a cross-compilation bug whereby libcoreutils.a would
+      ;; provide '__mktime_internal', which conflicts with the one in libc.a.
+      ,@(if (%current-target-system)
+            `(#:configure-flags '("gl_cv_func_working_mktime=yes"))
+            '())))
    (synopsis "Core GNU utilities (file, text, shell)")
    (description
     "GNU Coreutils includes all of the basic command-line tools that are
@@ -396,16 +405,15 @@ change.  GNU make offers many powerful extensions over the standard utility.")
 
 (define-public binutils
   (package
-   (replacement binutils/fixed)
    (name "binutils")
-   (version "2.28")
+   (version "2.28.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/binutils/binutils-"
                                 version ".tar.bz2"))
             (sha256
              (base32
-              "0wiasgns7i8km8nrxas265sh2dfpsw93b3qw195ipc90w4z475v2"))
+              "1sj234nd05cdgga1r36zalvvdkvpfbr12g5mir2n8i1dwsdrj939"))
             (patches (search-patches "binutils-ld-new-dtags.patch"
                                      "binutils-loongson-workaround.patch"))))
    (build-system gnu-build-system)
@@ -438,19 +446,6 @@ included.")
    (license gpl3+)
    (home-page "https://www.gnu.org/software/binutils/")))
 
-(define binutils/fixed
-  (package
-    (inherit binutils)
-    ;; 2.28.1 is two characters longer than 2.28, so grafting fails due to
-    ;; mismatched lengths of filenames, so we have to force  it to the same length.
-    (version "2281")
-    (source
-      (origin (inherit (package-source binutils))
-              (uri "mirror://gnu/binutils/binutils-2.28.1.tar.bz2")
-              (sha256
-               (base32
-                "1sj234nd05cdgga1r36zalvvdkvpfbr12g5mir2n8i1dwsdrj939"))))))
-
 (define* (make-ld-wrapper name #:key
                           (target (const #f))
                           binutils
@@ -529,15 +524,26 @@ store.")
 (define-public glibc/linux
   (package
    (name "glibc")
-   (version "2.25")
-   (replacement glibc/fixed)
+   ;; Glibc has stable branches that continuously pick fixes for each supported
+   ;; release.  Unfortunately they do not do point-releases, so we are stuck
+   ;; with copying almost all patches, or use a snapshot of the release branch.
+   ;;
+   ;; This version number corresponds to the output of `git describe` and the
+   ;; archive can be generated by checking out the commit ID and running:
+   ;;  git archive --prefix=$(git describe)/ HEAD | xz > $(git describe).tar.xz
+   ;; See <https://bugs.gnu.org/29406> for details.
+   ;;
+   ;; Note: Always use a dot after the minor version since various places rely
+   ;; on "version-major+minor" to determine where locales are found.
+   (version "2.26.105-g0890d5379c")
    (source (origin
             (method url-fetch)
-            (uri (string-append "mirror://gnu/glibc/glibc-"
-                                version ".tar.xz"))
+            (uri (string-append "https://alpha.gnu.org/gnu/guix/mirror/"
+                                "glibc-" (version-major+minor version) "-"
+                                (caddr (string-split version #\.)) ".tar.xz"))
             (sha256
              (base32
-              "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6"))
+              "1jck0c1i248sn02rvsfjykk77qncma34bjq89dyy2irwm50d7s3g"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -548,19 +554,15 @@ store.")
             (modules '((guix build utils)))
             (patches (search-patches "glibc-ldd-x86_64.patch"
                                      "glibc-versioned-locpath.patch"
-                                     "glibc-o-largefile.patch"
-                                     "glibc-memchr-overflow-i686.patch"
-                                     "glibc-vectorized-strcspn-guards.patch"
-                                     "glibc-CVE-2017-1000366-pt1.patch"
-                                     "glibc-CVE-2017-1000366-pt2.patch"
-                                     "glibc-CVE-2017-1000366-pt3.patch"))))
+                                     "glibc-o-largefile.patch"))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
    ;; users should automatically pull Linux headers as well.
    (propagated-inputs `(("kernel-headers" ,linux-libre-headers)))
 
-   (outputs '("out" "debug"))
+   (outputs '("out" "debug"
+              "static"))                          ;9 MiB of .a files
 
    (arguments
     `(#:out-of-source? #t
@@ -571,6 +573,11 @@ store.")
       ;; RUNPATH checks.
       #:validate-runpath? #f
 
+      #:modules ((ice-9 ftw)
+                 (srfi srfi-26)
+                 (guix build utils)
+                 (guix build gnu-build-system))
+
       #:configure-flags
       (list "--enable-add-ons"
             "--sysconfdir=/etc"
@@ -591,7 +598,7 @@ store.")
             ;; `--localedir' is not honored, so work around it.
             ;; See <http://sourceware.org/ml/libc-alpha/2013-03/msg00093.html>.
             (string-append "libc_cv_complocaledir=/run/current-system/locale/"
-                           ,version)
+                           ,(version-major+minor version))
 
             (string-append "--with-headers="
                            (assoc-ref ,(if (%current-target-system)
@@ -600,10 +607,10 @@ store.")
                                       "kernel-headers")
                            "/include")
 
-            ;; This is the default for most architectures as of GNU libc 2.21,
+            ;; This is the default for most architectures as of GNU libc 2.26,
             ;; but we specify it explicitly for clarity and consistency.  See
             ;; "kernel-features.h" in the GNU libc for details.
-            "--enable-kernel=2.6.32"
+            "--enable-kernel=3.2.0"
 
             ;; Use our Bash instead of /bin/sh.
             (string-append "BASH_SHELL="
@@ -675,7 +682,46 @@ store.")
                          ;; "bilingual" eval/exec magic at the top of the file.
                          "")
                         (("exec @PERL@")
-                         "exec perl"))))))))
+                         "exec perl")))))
+
+                 (add-after 'install 'move-static-libs
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     ;; Move static libraries to the "static" output.
+                     (define (static-library? file)
+                       ;; Return true if FILE is a static library.  The
+                       ;; "_nonshared.a" files are referred to by libc.so,
+                       ;; libpthread.so, etc., which are in fact linker
+                       ;; scripts.
+                       (and (string-suffix? ".a" file)
+                            (not (string-contains file "_nonshared"))))
+
+                     (define (linker-script? file)
+                       ;; Guess whether FILE, a ".a" file, is actually a
+                       ;; linker script.
+                       (and (not (ar-file? file))
+                            (not (elf-file? file))))
+
+                     (let* ((out    (assoc-ref outputs "out"))
+                            (lib    (string-append out "/lib"))
+                            (files  (scandir lib static-library?))
+                            (static (assoc-ref outputs "static"))
+                            (slib   (string-append static "/lib")))
+                       (mkdir-p slib)
+                       (for-each (lambda (base)
+                                   (rename-file (string-append lib "/" base)
+                                                (string-append slib "/" base)))
+                                 files)
+
+                       ;; Usually libm.a is a linker script so we need to
+                       ;; change the file names in there to refer to STATIC
+                       ;; instead of OUT.
+                       (for-each (lambda (ld-script)
+                                   (substitute* ld-script
+                                     ((out) static)))
+                                 (filter linker-script?
+                                         (map (cut string-append slib "/" <>)
+                                              files)))
+                       #t))))))
 
    (inputs `(("static-bash" ,static-bash)))
 
@@ -789,17 +835,28 @@ GLIBC/HURD for a Hurd host"
 (define-syntax glibc
   (identifier-syntax (glibc-for-target)))
 
-(define glibc/fixed
+;; Below are old libc versions, which we use mostly to build locale data in
+;; the old format (which the new libc cannot cope with.)
+
+(define-public glibc-2.25
   (package
     (inherit glibc)
+    (version "2.25")
     (source (origin
               (inherit (package-source glibc))
-              (patches (append
-                        (origin-patches (package-source glibc))
-                        (search-patches "glibc-CVE-2017-15670-15671.patch")))))))
-
-;; Below are old libc versions, which we use mostly to build locale data in
-;; the old format (which the new libc cannot cope with.)
+              (uri (string-append "mirror://gnu/glibc/glibc-"
+                                  version ".tar.xz"))
+              (sha256
+               (base32
+                "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6"))
+              (patches (search-patches "glibc-ldd-x86_64.patch"
+                                       "glibc-versioned-locpath.patch"
+                                       "glibc-o-largefile.patch"
+                                       "glibc-vectorized-strcspn-guards.patch"
+                                       "glibc-CVE-2015-5180.patch"
+                                       "glibc-CVE-2017-1000366-pt1.patch"
+                                       "glibc-CVE-2017-1000366-pt2.patch"
+                                       "glibc-CVE-2017-1000366-pt3.patch"))))))
 
 (define-public glibc-2.24
   (package
@@ -817,7 +874,6 @@ GLIBC/HURD for a Hurd host"
                                        "glibc-o-largefile.patch"
                                        "glibc-vectorized-strcspn-guards.patch"
                                        "glibc-CVE-2015-5180.patch"
-                                       "glibc-CVE-2017-15670-15671.patch"
                                        "glibc-CVE-2017-1000366-pt1.patch"
                                        "glibc-CVE-2017-1000366-pt2.patch"
                                        "glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -841,7 +897,6 @@ GLIBC/HURD for a Hurd host"
                                        "glibc-CVE-2016-3075.patch"
                                        "glibc-CVE-2016-3706.patch"
                                        "glibc-CVE-2016-4429.patch"
-                                       "glibc-CVE-2017-15670-15671.patch"
                                        "glibc-CVE-2017-1000366-pt1.patch"
                                        "glibc-CVE-2017-1000366-pt2.patch"
                                        "glibc-CVE-2017-1000366-pt3.patch"))))))
@@ -864,7 +919,6 @@ GLIBC/HURD for a Hurd host"
                                        "glibc-CVE-2016-3075.patch"
                                        "glibc-CVE-2016-3706.patch"
                                        "glibc-CVE-2016-4429.patch"
-                                       "glibc-CVE-2017-15670-15671.patch"
                                        "glibc-CVE-2017-1000366-pt1.patch"
                                        "glibc-CVE-2017-1000366-pt2.patch"
                                        "glibc-CVE-2017-1000366-pt3.patch"))))
@@ -903,14 +957,16 @@ the 'share/locale' sub-directory of this package.")
                (lambda _
                  (zero? (system* "make" "localedata/install-locales"
                                  "-j" (number->string (parallel-job-count))))))
-             (delete 'install)))
+             (delete 'install)
+             (delete 'move-static-libs)))
          ((#:configure-flags flags)
           `(append ,flags
                    ;; Use $(libdir)/locale/X.Y as is the case by default.
                    (list (string-append "libc_cv_complocaledir="
                                         (assoc-ref %outputs "out")
                                         "/lib/locale/"
-                                        ,(package-version glibc))))))))))
+                                        ,(version-major+minor
+                                          (package-version glibc)))))))))))
 
 (define-public glibc-utf8-locales
   (package
@@ -928,7 +984,7 @@ the 'share/locale' sub-directory of this package.")
                           (gzip      (assoc-ref %build-inputs "gzip"))
                           (out       (assoc-ref %outputs "out"))
                           (localedir (string-append out "/lib/locale/"
-                                                    ,version)))
+                                                    ,(version-major+minor version))))
                      ;; 'localedef' needs 'gzip'.
                      (setenv "PATH" (string-append libc "/bin:" gzip "/bin"))
 
@@ -1025,7 +1081,7 @@ command.")
 (define-public tzdata
   (package
     (name "tzdata")
-    (version "2017b")
+    (version "2017c")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -1033,7 +1089,7 @@ command.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "11l0s43vx33dcs78p80122i8s5s9l1sjwkzzwh66njd35r92l97q"))))
+               "02yrrfj0p7ar885ja41ylijzbr8wc6kz6kzlw8c670i9m693ym6n"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f
@@ -1081,7 +1137,7 @@ command.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "0h1d567gn8l3iqgyadcswwdy2yh07nhz3lfl8ds8saz2ajxka5sd"))))))
+                            "1dvrq0b2hz7cjqdyd7x21wpy4qcng3rvysr61ij0c2g64fyb9s41"))))))
     (home-page "https://www.iana.org/time-zones")
     (synopsis "Database of current and historical time zones")
     (description "The Time Zone Database (often called tz or zoneinfo)
@@ -1091,13 +1147,14 @@ reflect changes made by political bodies to time zone boundaries, UTC offsets,
 and daylight-saving rules.")
     (license public-domain)))
 
-;;; A "fixed" version of tzdata, which is used in the test suites of
-;;; glib and R. We can update this whenever we are able to rebuild
-;;; thousands of packages (for example, in a core-updates rebuild).
-(define-public tzdata-2017a
-  (package
-    (inherit tzdata)
-    (version "2017a")
+;;; A "fixed" version of tzdata, which is used in the test suites of glib and R
+;;; and a few other places. We can update this whenever we are able to rebuild
+;;; thousands of packages (for example, in a core-updates rebuild). This package
+;;; will typically be obsolete and should never be referred to by a built
+;;; package.
+(define-public tzdata-for-tests
+  (hidden-package (package (inherit tzdata)
+    (version "2017c")
     (source
       (origin
         (method url-fetch)
@@ -1105,7 +1162,7 @@ and daylight-saving rules.")
                             "/releases/tzdata" version ".tar.gz"))
         (sha256
          (base32
-          "1mmv4rvcs12lrvgghw4fidczvb69yv69cmzknghcvw1c196mqfnz"))))
+          "02yrrfj0p7ar885ja41ylijzbr8wc6kz6kzlw8c670i9m693ym6n"))))
     (inputs `(("tzcode" ,(origin
                           (method url-fetch)
                           (uri (string-append
@@ -1113,7 +1170,7 @@ and daylight-saving rules.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "1b1q7gnlsh5hjgs5065pvajd37rmbc3k9b8cgzad1vcrifswdwh2"))))))))
+                            "1dvrq0b2hz7cjqdyd7x21wpy4qcng3rvysr61ij0c2g64fyb9s41")))))))))
 
 
 (define-public libiconv
diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm
index ca47227826..f9fda96bb2 100644
--- a/gnu/packages/bdw-gc.scm
+++ b/gnu/packages/bdw-gc.scm
@@ -91,15 +91,15 @@ C or C++ programs, though that is not its primary goal.")
 (define-public libatomic-ops
   (package
     (name "libatomic-ops")
-    (version "7.4.4")
+    (version "7.4.8")
     (source (origin
               (method url-fetch)
               (uri (string-append
-                    "http://www.ivmaisoft.com/_bin/atomic_ops/libatomic_ops-"
-                    version ".tar.gz"))
+                    "https://github.com/ivmai/libatomic_ops/releases/download/v"
+                    version "/libatomic_ops-" version ".tar.gz"))
               (sha256
                (base32
-                "13vg5fqwil17zpf4hj4h8rh3blzmym693lkdjgvwpgni1mh0l8dz"))))
+                "0sj3plzpbqgxrqpjq3w2zi3zxxqqps71ncdwk5s1k30i9d9da1f4"))))
     (build-system gnu-build-system)
     (outputs '("out" "debug"))
     (synopsis "Accessing hardware atomic memory update operations")
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index c96d462445..12cfed68ad 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -10717,10 +10717,7 @@ programs for inferring phylogenies (evolutionary trees).")
     (arguments
      `(;; FIXME: Some tests fail because they produce warnings, others fail
        ;; because the PYTHONPATH does not include the modeller's directory.
-       #:tests? #f
-       ;; Do not place libraries in an architecture-specific directory.
-       #:configure-flags
-       (list "-DCMAKE_INSTALL_LIBDIR=lib")))
+       #:tests? #f))
     (inputs
      `(("boost" ,boost)
        ("gsl" ,gsl)
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index ba733b3a9e..b02737cb7c 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -26,8 +26,10 @@
   #:use-module (guix build-system)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
-  #:use-module ((guix store) #:select (add-to-store add-text-to-store))
-  #:use-module ((guix derivations) #:select (derivation))
+  #:use-module ((guix store)
+                #:select (run-with-store add-to-store add-text-to-store))
+  #:use-module ((guix derivations)
+                #:select (derivation derivation->output-path))
   #:use-module ((guix utils) #:select (gnu-triplet->nix-system))
   #:use-module ((guix build utils) #:select (elf-file?))
   #:use-module (guix memoization)
@@ -38,6 +40,8 @@
             package-with-bootstrap-guile
             glibc-dynamic-linker
 
+            bootstrap-guile-origin
+
             %bootstrap-guile
             %bootstrap-coreutils&co
             %bootstrap-binutils
@@ -133,7 +137,7 @@ successful, or false to signal an error."
     (license gpl3+)))
 
 (define package-with-bootstrap-guile
-  (mlambda (p)
+  (mlambdaq (p)
     "Return a variant of P such that all its origins are fetched with
 %BOOTSTRAP-GUILE."
     (define rewritten-input
@@ -191,6 +195,56 @@ successful, or false to signal an error."
 ;;; Bootstrap packages.
 ;;;
 
+(define %bootstrap-base-urls
+  ;; This is where the initial binaries come from.
+  '("https://alpha.gnu.org/gnu/guix/bootstrap"
+    "http://alpha.gnu.org/gnu/guix/bootstrap"
+    "ftp://alpha.gnu.org/gnu/guix/bootstrap"
+    "http://www.fdn.fr/~lcourtes/software/guix/packages"
+    "http://flashner.co.il/guix/bootstrap"))
+
+(define (bootstrap-guile-url-path system)
+  "Return the URI for FILE."
+  (string-append "/" system
+                 (match system
+                   ("aarch64-linux"
+                    "/20170217/guile-2.0.14.tar.xz")
+                   ("armhf-linux"
+                    "/20150101/guile-2.0.11.tar.xz")
+                   (_
+                    "/20131110/guile-2.0.9.tar.xz"))))
+
+(define (bootstrap-guile-hash system)
+  "Return the SHA256 hash of the Guile bootstrap tarball for SYSTEM."
+  (match system
+    ("x86_64-linux"
+     (base32 "1w2p5zyrglzzniqgvyn1b55vprfzhgk8vzbzkkbdgl5248si0yq3"))
+    ("i686-linux"
+     (base32 "0im800m30abgh7msh331pcbjvb4n02smz5cfzf1srv0kpx3csmxp"))
+    ("mips64el-linux"
+     (base32 "0fzp93lvi0hn54acc0fpvhc7bvl0yc853k62l958cihk03q80ilr"))
+    ("armhf-linux"
+     (base32 "1mi3brl7l58aww34rawhvja84xc7l1b4hmwdmc36fp9q9mfx0lg5"))
+    ("aarch64-linux"
+     (base32 "1giy2aprjmn5fp9c4s9r125fljw4wv6ixy5739i5bffw4jgr0f9r"))))
+
+(define (bootstrap-guile-origin system)
+  "Return an <origin> object for the Guile tarball of SYSTEM."
+  (origin
+    (method url-fetch)
+    (uri (map (cute string-append <> (bootstrap-guile-url-path system))
+              %bootstrap-base-urls))
+    (sha256 (bootstrap-guile-hash system))))
+
+(define (download-bootstrap-guile store system)
+  "Return a derivation that downloads the bootstrap Guile tarball for SYSTEM."
+  (let* ((path (bootstrap-guile-url-path system))
+         (base (basename path))
+         (urls (map (cut string-append <> path) %bootstrap-base-urls)))
+    (run-with-store store
+      (url-fetch urls 'sha256 (bootstrap-guile-hash system)
+                 #:system system))))
+
 (define* (raw-build store name inputs
                     #:key outputs system search-paths
                     #:allow-other-keys)
@@ -205,13 +259,7 @@ successful, or false to signal an error."
          (xz    (->store "xz"))
          (mkdir (->store "mkdir"))
          (bash  (->store "bash"))
-         (guile (->store (match system
-                           ("armhf-linux"
-                            "guile-2.0.11.tar.xz")
-                           ("aarch64-linux"
-                            "guile-2.0.14.tar.xz")
-                           (_
-                            "guile-2.0.9.tar.xz"))))
+         (guile (download-bootstrap-guile store system))
          ;; The following code, run by the bootstrap guile after it is
          ;; unpacked, creates a wrapper for itself to set its load path.
          ;; This replaces the previous non-portable method based on
@@ -246,7 +294,7 @@ exec -a \"~a0\" ~a \"~a@\"\n"
 echo \"unpacking bootstrap Guile to '$out'...\"
 ~a $out
 cd $out
-~a -dc < ~a | ~a xv
+~a -dc < $GUILE_TARBALL | ~a xv
 
 # Use the bootstrap guile to create its own wrapper to set the load path.
 GUILE_SYSTEM_PATH=$out/share/guile/2.0 \
@@ -255,14 +303,16 @@ $out/bin/guile -c ~s $out ~a
 
 # Sanity check.
 $out/bin/guile --version~%"
-                                     mkdir xz guile tar
+                                     mkdir xz tar
                                      (format #f "~s" make-guile-wrapper)
                                      bash)
-                             (list mkdir xz guile tar bash))))
+                             (list mkdir xz tar bash))))
     (derivation store name
                 bash `(,builder)
                 #:system system
-                #:inputs `((,bash) (,builder)))))
+                #:inputs `((,bash) (,builder) (,guile))
+                #:env-vars `(("GUILE_TARBALL"
+                              . ,(derivation->output-path guile))))))
 
 (define* (make-raw-bag name
                        #:key source inputs native-inputs outputs
@@ -294,13 +344,6 @@ $out/bin/guile --version~%"
      (home-page #f)
      (license lgpl3+))))
 
-(define %bootstrap-base-urls
-  ;; This is where the initial binaries come from.
-  '("ftp://alpha.gnu.org/gnu/guix/bootstrap"
-    "http://alpha.gnu.org/gnu/guix/bootstrap"
-    "http://www.fdn.fr/~lcourtes/software/guix/packages"
-    "http://flashner.co.il/guix/bootstrap"))
-
 (define %bootstrap-coreutils&co
   (package-from-tarball "bootstrap-binaries"
                         (lambda (system)
diff --git a/gnu/packages/calcurse.scm b/gnu/packages/calcurse.scm
index 44e90448cd..93eeaf0ee6 100644
--- a/gnu/packages/calcurse.scm
+++ b/gnu/packages/calcurse.scm
@@ -40,7 +40,7 @@
         "0il0y06akdqgy0f9p40m4x6arn66nh7sr1w1i41bszycs7div266"))))
     (build-system gnu-build-system)
     (inputs `(("ncurses" ,ncurses)))
-    (native-inputs `(("tzdata" ,tzdata-2017a)))
+    (native-inputs `(("tzdata" ,tzdata-for-tests)))
     (arguments
      ;; The ical tests all want to create a ".calcurse" directory, and may
      ;; fail with "cannot create directory '.calcurse': File exists" if run
@@ -49,7 +49,7 @@
        ;; Since this tzdata is only used for tests and not referenced by the
        ;; built package, used the "fixed" obsolete version of tzdata and ensure
        ;; it does not sneak in to the closure.
-       #:disallowed-references (,tzdata-2017a)
+       #:disallowed-references (,tzdata-for-tests)
        #:phases (modify-phases %standard-phases
                   (add-before 'check 'check-setup
                     (lambda* (#:key inputs #:allow-other-keys)
diff --git a/gnu/packages/calendar.scm b/gnu/packages/calendar.scm
index 159e606a24..0080542997 100644
--- a/gnu/packages/calendar.scm
+++ b/gnu/packages/calendar.scm
@@ -56,9 +56,6 @@
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f ; test suite appears broken
-       #:configure-flags
-       (list (string-append "-DCMAKE_INSTALL_LIBDIR="
-                            (assoc-ref %outputs "out") "/lib"))
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'patch-paths
@@ -120,8 +117,7 @@ data units.")
                               "not test_printics_read_from_stdin "
                               "and not test_import_from_stdin"))))))))
     (native-inputs
-      ;; XXX Uses tmpdir_factory, introduced in pytest 2.8.
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-setuptools-scm" ,python-setuptools-scm)
        ;; Required for tests
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 1585948b33..76e356ec88 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -65,15 +65,15 @@
 (define-public check
   (package
     (name "check")
-    (version "0.10.0")
+    (version "0.12.0")
     (source
      (origin
       (method url-fetch)
-      (uri (string-append "https://github.com/libcheck/check/files/71408/"
-                          "/check-" version ".tar.gz"))
+      (uri (string-append "https://github.com/libcheck/check/releases/download/"
+                          version "/check-" version ".tar.gz"))
       (sha256
        (base32
-        "0lhhywf5nxl3dd0hdakra3aasl590756c9kmvyifb3vgm9k0gxgm"))))
+        "0d22h8xshmbpl9hba9ch3xj8vb9ybm5akpsbbh7yj07fic4h2hj6"))))
     (build-system gnu-build-system)
     (home-page "https://libcheck.github.io/check/")
     (synopsis "Unit test framework for C")
@@ -86,20 +86,6 @@ faults or other signals.  The output from unit tests can be used within
 source code editors and IDEs.")
     (license license:lgpl2.1+)))
 
-;; XXX: Some packages require this newer version.  Incorporate this
-;; into the main 'check' package during the next rebuild cycle.
-(define-public check-0.11.0
-  (package
-    (inherit check)
-    (version "0.11.0")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/libcheck/check/releases"
-                                  "/download/" version "/check-" version ".tar.gz"))
-              (sha256
-               (base32
-                "05jn1pgb7hqb937xky2147nnq3r4qy5wwr79rddpax3bms5a9xr4"))))))
-
 (define-public cunit
   (package
     (name "cunit")
@@ -357,45 +343,43 @@ for every Python test framework.  It supports nose, py.test, and unittest.")
 (define-public python-mock
   (package
     (name "python-mock")
-    (version "1.0.1")
+    (version "2.0.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "mock" version))
        (sha256
         (base32
-         "0kzlsbki6q0awf89rc287f3aj8x431lrajf160a70z0ikhnxsfdq"))))
+         "1flbpksir5sqrvq2z0dp8sl4bzbadg21sj4d42w3klpdfvgvcn5i"))))
+    (propagated-inputs
+     `(("python-pbr" ,python-pbr-minimal)
+       ("python-six" ,python-six)))
     (build-system python-build-system)
-    (arguments '(#:test-target "check"))
+    (native-inputs
+     `(("python-unittest2" ,python-unittest2)))
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "unit2")))))))
     (home-page "https://github.com/testing-cabal/mock")
     (synopsis "Python mocking and patching library for testing")
     (description
      "Mock is a library for testing in Python.  It allows you to replace parts
 of your system under test with mock objects and make assertions about how they
 have been used.")
+    (properties `((python2-variant . ,(delay python2-mock))))
     (license license:expat)))
 
 (define-public python2-mock
-  (package-with-python2 python-mock))
-
-;;; Some packages (notably, certbot and python-acme) rely on this newer version
-;;; of python-mock. However, a large number of packages fail to build with
-;;; mock@2, so we add a new variable for now. Also, there may be a dependency
-;;; cycle between mock and six, so we avoid creating python2-mock@2 for now.
-(define-public python-mock-2
-  (package
-    (inherit python-mock)
-    (version "2.0.0")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (pypi-uri "mock" version))
-        (sha256
-         (base32
-          "1flbpksir5sqrvq2z0dp8sl4bzbadg21sj4d42w3klpdfvgvcn5i"))))
-    (propagated-inputs
-     `(("python-pbr" ,python-pbr-minimal)
-       ,@(package-propagated-inputs python-mock)))))
+  (let ((base (package-with-python2
+               (strip-python2-variant python-mock))))
+    (package (inherit base)
+      (propagated-inputs
+       `(("python2-functools32" ,python2-functools32)
+         ("python2-funcsigs" ,python2-funcsigs)
+         ,@(package-propagated-inputs base))))))
 
 (define-public python-nose
   (package
@@ -452,17 +436,27 @@ interfaces and processes.")
 (define-public python-unittest2
   (package
     (name "python-unittest2")
-    (version "0.5.1")
+    (version "1.1.0")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/u/unittest2py3k/unittest2py3k-"
-             version ".tar.gz"))
+       (uri (pypi-uri "unittest2" version))
+       (patches
+        (search-patches "python-unittest2-python3-compat.patch"
+                        "python-unittest2-remove-argparse.patch"))
        (sha256
         (base32
-         "00yl6lskygcrddx5zspkhr0ibgvpknl4678kkm6s626539grq93q"))))
+         "0y855kmx7a8rnf81d3lh5lyxai1908xjp0laf4glwa4c8472m212"))))
     (build-system python-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "python" "-m" "unittest2" "discover" "--verbose")))))))
+    (propagated-inputs
+     `(("python-six" ,python-six)
+       ("python-traceback2" ,python-traceback2)))
     (home-page "http://pypi.python.org/pypi/unittest2")
     (synopsis "Python unit testing library")
     (description
@@ -471,54 +465,44 @@ standard library.")
     (license license:psfl)))
 
 (define-public python2-unittest2
-  (package (inherit python-unittest2)
-    (name "python2-unittest2")
-    (version "1.1.0")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/u/unittest2/unittest2-"
-             version ".tar.gz"))
-       (sha256
-        (base32
-         "0y855kmx7a8rnf81d3lh5lyxai1908xjp0laf4glwa4c8472m212"))
-       (patches
-        (search-patches "python2-unittest2-remove-argparse.patch"))))
-    (propagated-inputs
-     `(("python2-six" ,python2-six)
-       ("python2-traceback2" ,python2-traceback2)))
-    (arguments
-     `(#:python ,python-2
-       #:tests? #f)))) ; no setup.py test command
+  (package-with-python2 python-unittest2))
 
 (define-public python-pytest
   (package
     (name "python-pytest")
-    (version "2.7.3")
+    (version "3.2.3")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append
-             "https://pypi.python.org/packages/source/p/pytest/pytest-"
-             version ".tar.gz"))
+       (uri (pypi-uri "pytest" version))
        (sha256
         (base32
-         "1z4yi986f9n0p8qmzmn21m21m8j1x78hk3505f89baqm6pdw7afm"))
-       (modules '((guix build utils)))
-       (snippet
-        ;; One of the tests involves the /usr directory, so it fails.
-        '(substitute* "testing/test_argcomplete.py"
-           (("def test_remove_dir_prefix\\(self\\):")
-            "@pytest.mark.xfail\n    def test_remove_dir_prefix(self):")))))
+         "0g6w86ks73fnrnsyib9ii2rbyx830vn7aglsjqz9v1n2xwbndyi7"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'disable-invalid-tests
+           (lambda _
+             ;; Some tests involves the /usr directory, and fails.
+             (substitute* "testing/test_argcomplete.py"
+               (("def test_remove_dir_prefix\\(self\\):")
+                "@pytest.mark.xfail\n    def test_remove_dir_prefix(self):"))
+             (substitute* "testing/test_argcomplete.py"
+               (("def test_remove_dir_prefix" line)
+                (string-append "@pytest.mark.skip"
+                               "(reason=\"Assumes that /usr exists.\")\n    "
+                               line)))
+             #t)))))
     (propagated-inputs
      `(("python-py" ,python-py)))
     (native-inputs
      `(;; Tests need the "regular" bash since 'bash-final' lacks `compgen`.
        ("bash" ,bash)
+       ("python-hypothesis" ,python-hypothesis)
        ("python-nose" ,python-nose)
-       ("python-mock" ,python-mock)))
+       ("python-mock" ,python-mock)
+       ("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "http://pytest.org")
     (synopsis "Python testing library")
     (description
@@ -530,41 +514,15 @@ and many external plugins.")
 (define-public python2-pytest
   (package-with-python2 python-pytest))
 
-;; Some packages require a newer pytest.
-(define-public python-pytest-3.0
+(define-public python-pytest-bootstrap
   (package
     (inherit python-pytest)
-    (name "python-pytest")
-    (version "3.0.7")
-    (source (origin
-              (method url-fetch)
-              (uri (pypi-uri "pytest" version))
-              (sha256
-               (base32
-                "1asc4b2nd2a4f0g3r12y97rslq5wliji7b73wwkvdrm5s7mrc1mp"))))
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         (add-before 'check 'disable-invalid-test
-           (lambda _
-             (substitute* "testing/test_argcomplete.py"
-               (("def test_remove_dir_prefix" line)
-                (string-append "@pytest.mark.skip"
-                               "(reason=\"Assumes that /usr exists.\")\n    "
-                               line)))
-             #t)))))
-    (native-inputs
-     `(("python-hypothesis" ,python-hypothesis)
-       ,@(package-native-inputs python-pytest)))
-    (properties `((python2-variant . ,(delay python2-pytest-3.0))))))
+    (name "python-pytest-bootstrap")
+    (native-inputs `(("python-setuptools-scm" ,python-setuptools-scm)))
+    (arguments `(#:tests? #f))))
 
-(define-public python2-pytest-3.0
-  (let ((base (package-with-python2
-                (strip-python2-variant python-pytest-3.0))))
-    (package (inherit base)
-      (native-inputs
-        `(("python2-enum34" ,python2-enum34)
-          ,@(package-native-inputs base))))))
+(define-public python2-pytest-bootstrap
+  (package-with-python2 python-pytest-bootstrap))
 
 (define-public python-pytest-cov
   (package
@@ -626,7 +584,7 @@ supports coverage of subprocesses.")
                (string-append "version = \"" ,version "\"")))
             #t)))))
     (native-inputs
-     `(("python-pytest" ,python-pytest)
+     `(("python-pytest" ,python-pytest-bootstrap)
        ("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "https://github.com/pytest-dev/pytest-runner")
     (synopsis "Invoke py.test as a distutils command")
@@ -951,14 +909,14 @@ have failed since the last commit or what tests are currently failing.")
 (define-public python-coverage
   (package
     (name "python-coverage")
-    (version "4.1")
+    (version "4.4.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "coverage" version))
        (sha256
         (base32
-         "01rbr4br4lsk0lwn8fb96zwd2xr4f0mg1w7iq3j11i8f5ig2nqs1"))))
+         "097l4s3ssxm1vncsn0nw3a1pbzah28773q36c1ab9wz01r04973s"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: 95 tests failed, 539 passed, 6 skipped, 2 errors.
@@ -1099,13 +1057,13 @@ the last py.test invocation.")
 (define-public python-pytest-localserver
   (package
     (name "python-pytest-localserver")
-    (version "0.3.5")
+    (version "0.4.1")
     (source (origin
              (method url-fetch)
              (uri (pypi-uri "pytest-localserver" version))
              (sha256
               (base32
-               "0dvqspjr6va55zwmnnc2mmpqc7mm65kxig9ya44x1z8aadzxpa4p"))))
+               "08f06rvj31wqf0vgmd1waya87r7vy6x8ck48lxl3dxy83q5gcam7"))))
     (build-system python-build-system)
     (arguments
       `(#:phases (modify-phases %standard-phases
@@ -1184,7 +1142,7 @@ normally the case.")
     (build-system python-build-system)
     (native-inputs
      `(("python-flake8" ,python-flake8)
-       ("python-pytest" ,python-pytest)))
+       ("python-pytest" ,python-pytest-bootstrap)))
     (synopsis "Library for property based testing")
     (description "Hypothesis is a library for testing your Python code against a
 much larger range of examples than you would ever want to write by hand.  It’s
@@ -1426,7 +1384,7 @@ recognize TestCases.")
          "0gf2dpahpl5igb7jh1sr9acj3z3gp7zahqdqb69nk6wx01c8kc1g"))))
     (build-system python-build-system)
     (propagated-inputs
-     `(("pytest" ,python-pytest-3.0)))
+     `(("pytest" ,python-pytest)))
     (home-page "https://github.com/fschulze/pytest-warnings")
     (synopsis "Pytest plugin to list Python warnings in pytest report")
     (description
@@ -1450,7 +1408,7 @@ pytest report.")
          "038049nyjl7di59ycnxvc9nydivc5m8np3hqq84j2iirkccdbs5n"))))
     (build-system python-build-system)
     (propagated-inputs
-     `(("pytest" ,python-pytest-3.0)))
+     `(("pytest" ,python-pytest)))
     (home-page "https://bitbucket.org/memedough/pytest-capturelog/overview")
     (synopsis "Pytest plugin to catch log messages")
     (description
@@ -1475,7 +1433,7 @@ pytest report.")
     (native-inputs
      `(("unzip" ,unzip)))
     (propagated-inputs
-     `(("pytest" ,python-pytest-3.0)))
+     `(("pytest" ,python-pytest)))
     (home-page "https://github.com/eisensheng/pytest-catchlog")
     (synopsis "Pytest plugin to catch log messages")
     (description
@@ -1791,7 +1749,7 @@ retried.")
     (native-inputs                      ; All native inputs are for tests
      `(("python-pytest-cov" ,python-pytest-cov)
        ("python-mock" ,python-mock)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-hypothesis" ,python-hypothesis)))
     (propagated-inputs
      `(("python-six" ,python-six)))
diff --git a/gnu/packages/chez.scm b/gnu/packages/chez.scm
index 4b5b8e8bc7..bb7767670d 100644
--- a/gnu/packages/chez.scm
+++ b/gnu/packages/chez.scm
@@ -70,7 +70,12 @@
                            "v" version ".tar.gz"))
        (sha256
         (base32 "135991hspq0grf26pvl2lkwhp92yz204h6rgiwyym0x6v0xzknd1"))
-       (file-name (string-append "chez-scheme-" version ".tar.gz"))))
+       (file-name (string-append "chez-scheme-" version ".tar.gz"))
+       (modules '((guix build utils)))
+       (snippet
+        ;; Fix compilation with glibc >= 2.26, which removed xlocale.h.
+        '(substitute* "c/expeditor.c"
+           (("xlocale\\.h") "locale.h")))))
     (build-system gnu-build-system)
     (inputs
      `(("ncurses" ,ncurses)
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 4a9aed09c1..7286e954c5 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015, 2017 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -47,6 +47,7 @@
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
+  #:use-module (guix memoization)
   #:use-module (guix utils)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
@@ -150,23 +151,22 @@
         #:modules ((guix build gnu-build-system)
                    (guix build utils)
                    (ice-9 ftw))                    ; for 'scandir'
-        #:phases (alist-cons-after
-                  'install 'add-symlinks
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    ;; The cross-gcc invokes 'as', 'ld', etc, without the
-                    ;; triplet prefix, so add symlinks.
-                    (let ((out (assoc-ref outputs "out"))
-                          (triplet-prefix (string-append ,(boot-triplet) "-")))
-                      (define (has-triplet-prefix? name)
-                        (string-prefix? triplet-prefix name))
-                      (define (remove-triplet-prefix name)
-                        (substring name (string-length triplet-prefix)))
-                      (with-directory-excursion (string-append out "/bin")
-                        (for-each (lambda (name)
-                                    (symlink name (remove-triplet-prefix name)))
-                                  (scandir "." has-triplet-prefix?)))
-                      #t))
-                  %standard-phases)
+        #:phases (modify-phases %standard-phases
+                   (add-after 'install 'add-symlinks
+                     (lambda* (#:key outputs #:allow-other-keys)
+                       ;; The cross-gcc invokes 'as', 'ld', etc, without the
+                       ;; triplet prefix, so add symlinks.
+                       (let ((out (assoc-ref outputs "out"))
+                             (triplet-prefix (string-append ,(boot-triplet) "-")))
+                         (define (has-triplet-prefix? name)
+                           (string-prefix? triplet-prefix name))
+                         (define (remove-triplet-prefix name)
+                           (substring name (string-length triplet-prefix)))
+                         (with-directory-excursion (string-append out "/bin")
+                           (for-each (lambda (name)
+                                       (symlink name (remove-triplet-prefix name)))
+                                     (scandir "." has-triplet-prefix?)))
+                         #t))))
 
         ,@(substitute-keyword-arguments (package-arguments binutils)
             ((#:configure-flags cf)
@@ -174,12 +174,28 @@
                     ,cf)))))
      (inputs %boot0-inputs))))
 
+;; gcc-4.9 was fixed late in the core-update cycle and so this GCC is only
+;; needed to prevent a full world rebuild, and can be replaced with gcc-4.9.
+(define gcc-for-libstdc++
+  (package (inherit gcc-4.9)
+    (version "4.9.4")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/gcc/gcc-"
+                                  version "/gcc-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "14l06m7nvcvb0igkbip58x59w3nq6315k6jcz3wr9ch1rn9d44bc"))
+              (patches (search-patches "gcc-arm-bug-71399.patch"
+                                       "gcc-libvtv-runpath.patch"
+                                       "gcc-fix-texi2pod.patch"))))))
+
 (define libstdc++-boot0
   ;; GCC's libcc1 is always built as a shared library (the top-level
   ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer
   ;; to libstdc++.so.  We cannot build libstdc++-5.3 because it relies on
-  ;; C++14 features missing in our bootstrap compiler.
-  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9))))
+  ;; C++14 features missing in some of our bootstrap compilers.
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-for-libstdc++))))
     (package
       (inherit lib)
       (name "libstdc++-boot0")
@@ -287,9 +303,8 @@
                ("libc-native" ,@(assoc-ref %boot0-inputs "libc"))
                ,@(alist-delete "libc" %boot0-inputs)))
 
-     ;; No need for Texinfo at this stage.
-     (native-inputs (alist-delete "texinfo"
-                                  (package-native-inputs gcc))))))
+     ;; No need for the native-inputs to build the documentation at this stage.
+     (native-inputs `()))))
 
 (define perl-boot0
   (let ((perl (package
@@ -357,18 +372,21 @@
                                    (current-source-location)
                                    #:guile %bootstrap-guile))))
 
-(define (linux-libre-headers-boot0)
-  "Return Linux-Libre header files for the bootstrap environment."
-  ;; Note: this is wrapped in a thunk to nicely handle circular dependencies
-  ;; between (gnu packages linux) and this module.
-  (package-with-bootstrap-guile
-   (package (inherit linux-libre-headers)
-     (arguments `(#:guile ,%bootstrap-guile
-                  #:implicit-inputs? #f
-                  ,@(package-arguments linux-libre-headers)))
-     (native-inputs
-      `(("perl" ,perl-boot0)
-        ,@%boot0-inputs)))))
+(define linux-libre-headers-boot0
+  (mlambda ()
+    "Return Linux-Libre header files for the bootstrap environment."
+    ;; Note: this is wrapped in a thunk to nicely handle circular dependencies
+    ;; between (gnu packages linux) and this module.  Additionally, memoize
+    ;; the result to play well with further memoization and code that relies
+    ;; on pointer identity; see <https://bugs.gnu.org/30155>.
+    (package-with-bootstrap-guile
+     (package (inherit linux-libre-headers)
+              (arguments `(#:guile ,%bootstrap-guile
+                           #:implicit-inputs? #f
+                           ,@(package-arguments linux-libre-headers)))
+              (native-inputs
+               `(("perl" ,perl-boot0)
+                 ,@%boot0-inputs))))))
 
 (define gnumach-headers-boot0
   (package-with-bootstrap-guile
@@ -409,18 +427,19 @@
                                    (current-source-location)
                                    #:guile %bootstrap-guile))))
 
-(define (hurd-core-headers-boot0)
-  "Return the Hurd and Mach headers as well as initial Hurd libraries for
+(define hurd-core-headers-boot0
+  (mlambda ()
+    "Return the Hurd and Mach headers as well as initial Hurd libraries for
 the bootstrap environment."
-  (package-with-bootstrap-guile
-   (package (inherit hurd-core-headers)
-            (arguments `(#:guile ,%bootstrap-guile
-                                 ,@(package-arguments hurd-core-headers)))
-            (inputs
-             `(("gnumach-headers" ,gnumach-headers-boot0)
-               ("hurd-headers" ,hurd-headers-boot0)
-               ("hurd-minimal" ,hurd-minimal-boot0)
-               ,@%boot0-inputs)))))
+    (package-with-bootstrap-guile
+     (package (inherit hurd-core-headers)
+              (arguments `(#:guile ,%bootstrap-guile
+                           ,@(package-arguments hurd-core-headers)))
+              (inputs
+               `(("gnumach-headers" ,gnumach-headers-boot0)
+                 ("hurd-headers" ,hurd-headers-boot0)
+                 ("hurd-minimal" ,hurd-minimal-boot0)
+                 ,@%boot0-inputs))))))
 
 (define* (kernel-headers-boot0 #:optional (system (%current-system)))
   (match system
@@ -467,7 +486,7 @@ the bootstrap environment."
   ;; built just below; the only difference is that this one uses the
   ;; bootstrap Bash.
   (package-with-bootstrap-guile
-   (package/inherit glibc
+   (package (inherit glibc)
      (name "glibc-intermediate")
      (arguments
       `(#:guile ,%bootstrap-guile
@@ -584,12 +603,24 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
   (let* ((gcc  (cross-gcc-wrapper gcc-boot0 binutils-boot0
                                   glibc-final-with-bootstrap-bash
                                   (car (assoc-ref %boot1-inputs "bash"))))
-         (bash (package (inherit static-bash)
+         (bash (package
+                 (inherit static-bash)
                  (arguments
-                  `(#:guile ,%bootstrap-guile
-                    ,@(package-arguments static-bash)))))
+                  (substitute-keyword-arguments
+                      (package-arguments static-bash)
+                    ((#:guile _ #f)
+                     '%bootstrap-guile)
+                    ((#:configure-flags flags '())
+                     ;; Add a '-L' flag so that the pseudo-cross-ld of
+                     ;; BINUTILS-BOOT0 can find libc.a.
+                     `(append ,flags
+                              (list (string-append "LDFLAGS=-static -L"
+                                                   (assoc-ref %build-inputs
+                                                              "libc:static")
+                                                   "/lib"))))))))
          (inputs `(("gcc" ,gcc)
                    ("libc" ,glibc-final-with-bootstrap-bash)
+                   ("libc:static" ,glibc-final-with-bootstrap-bash "static")
                    ,@(fold alist-delete %boot1-inputs
                            '("gcc" "libc")))))
     (package-with-bootstrap-guile
@@ -633,7 +664,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 
 (define glibc-final
   ;; The final glibc, which embeds the statically-linked Bash built above.
-  (package/inherit glibc-final-with-bootstrap-bash
+  (package (inherit glibc-final-with-bootstrap-bash)
     (name "glibc")
     (inputs `(("static-bash" ,static-bash-for-glibc)
               ,@(alist-delete
@@ -664,12 +695,13 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define %boot2-inputs
   ;; 3rd stage inputs.
   `(("libc" ,glibc-final)
+    ("libc:static" ,glibc-final "static")
     ("gcc" ,gcc-boot0-wrapped)
     ,@(fold alist-delete %boot1-inputs '("libc" "gcc"))))
 
 (define binutils-final
   (package-with-bootstrap-guile
-   (package/inherit binutils
+   (package (inherit binutils)
      (arguments
       `(#:guile ,%bootstrap-guile
         #:implicit-inputs? #f
@@ -680,34 +712,29 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
 (define libstdc++
   ;; Intermediate libstdc++ that will allow us to build the final GCC
   ;; (remember that GCC-BOOT0 cannot build libstdc++.)
-  ;; TODO: Write in terms of 'make-libstdc++'.
-  (package-with-bootstrap-guile
-   (package (inherit gcc)
-     (name "libstdc++")
-     (arguments
-      `(#:guile ,%bootstrap-guile
-        #:implicit-inputs? #f
-        #:allowed-references ("out")
-        #:out-of-source? #t
-        #:phases (alist-cons-before
-                  'configure 'chdir
-                  (lambda _
-                    (chdir "libstdc++-v3"))
-                  %standard-phases)
-        #:configure-flags `("--disable-shared"
-                            "--disable-libstdcxx-threads"
-                            "--disable-libstdcxx-pch"
-                            ,(string-append "--with-gxx-include-dir="
-                                            (assoc-ref %outputs "out")
-                                            "/include"
-                                            ;; "/include/c++/"
-                                            ;; ,(package-version gcc)
-                                            ))))
-     (outputs '("out"))
-     (inputs %boot2-inputs)
-     (native-inputs '())
-     (propagated-inputs '())
-     (synopsis "GNU C++ standard library (intermediate)"))))
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc))))
+    (package
+      (inherit lib)
+      (arguments
+       `(#:guile ,%bootstrap-guile
+         #:implicit-inputs? #f
+         #:allowed-references ("out")
+
+         ;; XXX: libstdc++.so NEEDs ld.so for some reason.
+         #:validate-runpath? #f
+
+         ;; All of the package arguments from 'make-libstdc++
+         ;; except for the configure-flags.
+         ,@(package-arguments lib)
+         #:configure-flags `("--disable-shared"
+                             "--disable-libstdcxx-threads"
+                             "--disable-libstdcxx-pch"
+                             ,(string-append "--with-gxx-include-dir="
+                                             (assoc-ref %outputs "out")
+                                             "/include"))))
+      (outputs '("out"))
+      (inputs %boot2-inputs)
+      (synopsis "GNU C++ standard library (intermediate)"))))
 
 (define zlib-final
   ;; Zlib used by GCC-FINAL.
@@ -780,6 +807,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
     ;; scripts such as 'mkheaders' and 'fixinc.sh' (XXX: who cares about these
     ;; scripts?).
     (native-inputs `(("texinfo" ,texinfo-boot0)
+                     ("perl" ,perl-boot0) ;for manpages
                      ("static-bash" ,static-bash-for-glibc)
                      ,@(package-native-inputs gcc-boot0)))
 
@@ -925,12 +953,13 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
       ("binutils" ,binutils-final)
       ("gcc" ,gcc-final)
       ("libc" ,glibc-final)
+      ("libc:static" ,glibc-final "static")
       ("locales" ,glibc-utf8-locales-final))))
 
 (define-public canonical-package
   (let ((name->package (fold (lambda (input result)
                                (match input
-                                 ((_ package)
+                                 ((_ package . outputs)
                                   (vhash-cons (package-full-name package)
                                               package result))))
                              vlist-null
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index eaf41062ff..e5746c8952 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -210,7 +210,16 @@ adding and extracting files to/from a tar archive.")
    (synopsis "General file (de)compression (using lzw)")
    (arguments
     ;; FIXME: The test suite wants `less', and optionally Perl.
-    '(#:tests? #f))
+    '(#:tests? #f
+      #:phases
+      (modify-phases %standard-phases
+        (add-after 'unpack 'use-absolute-name-of-gzip
+          (lambda* (#:key outputs #:allow-other-keys)
+            (substitute* "gunzip.in"
+              (("exec gzip")
+               (string-append "exec " (assoc-ref outputs "out")
+                              "/bin/gzip")))
+            #t)))))
    (description
     "GNU Gzip provides data compression and decompression utilities; the
 typical extension is \".gz\".  Unlike the \"zip\" format, it compresses a single
@@ -349,7 +358,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
 (define-public xz
   (package
    (name "xz")
-   (version "5.2.2")
+   (version "5.2.3")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "http://tukaani.org/xz/xz-" version
@@ -358,7 +367,7 @@ compressed with pbzip2 can be decompressed with bzip2).")
                                       version ".tar.gz")))
             (sha256
              (base32
-              "18h2k4jndhzjs8ln3a54qdnfv59y6spxiwh9gpaqniph6iflvpvk"))))
+              "1jr8pxnz55ifc8cvp3ivgl79ph9iik5aypsc9cma228aglsqp4ki"))))
    (build-system gnu-build-system)
    (synopsis "General-purpose data compression")
    (description
@@ -377,7 +386,7 @@ than gzip and 15 % smaller output than bzip2.")
 (define-public lzo
   (package
     (name "lzo")
-    (version "2.09")
+    (version "2.10")
     (source
      (origin
       (method url-fetch)
@@ -385,7 +394,7 @@ than gzip and 15 % smaller output than bzip2.")
                           version ".tar.gz"))
       (sha256
        (base32
-        "0k5kpj3jnsjfxqqkblpfpx0mqcy86zs5fhjhgh2kq1hksg7ag57j"))))
+        "0wm04519pd3g8hqpjqhfr72q8qmbiwqaxcs3cndny9h86aa95y60"))))
     (build-system gnu-build-system)
     (arguments '(#:configure-flags '("--enable-shared")))
     (home-page "http://www.oberhumer.com/opensource/lzo")
@@ -464,14 +473,14 @@ some compression ratio).")
 (define-public lzip
   (package
     (name "lzip")
-    (version "1.18")
+    (version "1.19")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://savannah/lzip/lzip-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "1p8lvc22sv3damld9ng8y6i8z2dvvpsbi9v7yhr5bc2a20m8iya7"))))
+               "1abbch762gv8rjr579q3qyyk6c80plklbv2mw4x0vg71dgsw9bgz"))))
     (build-system gnu-build-system)
     (home-page "http://www.nongnu.org/lzip/lzip.html")
     (synopsis "Lossless data compressor based on the LZMA algorithm")
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index 82b10fe843..0f5997951c 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -250,6 +250,7 @@ target that libc."
                    ,@inputs)))
             (libc
              `(("libc" ,libc)
+               ("libc:static" ,libc "static")
                ("xkernel-headers"                ;the target headers
                 ,@(assoc-ref (package-propagated-inputs libc)
                              "kernel-headers"))
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index fdfe9442a3..89c58f864b 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2016 Danny Milosavljevic <dannym@scratchpost.org>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -50,7 +50,7 @@
 (define-public cups-filters
   (package
     (name "cups-filters")
-    (version "1.17.7")
+    (version "1.17.9")
     (source(origin
               (method url-fetch)
               (uri
@@ -58,7 +58,7 @@
                               "cups-filters-" version ".tar.xz"))
               (sha256
                (base32
-                "1mg397kgfx0rs9j852f8ppmvaz2al5l75ildbgiqg6j3gwq5jssw"))
+                "0i7mvvnq7ayhxn1ajci8h7l3cijzwr9d50p58h0rbsh9hf63zblq"))
               (modules '((guix build utils)))
               (snippet
                ;; install backends, banners and filters to cups-filters output
@@ -172,7 +172,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
 (define-public cups-minimal
   (package
     (name "cups-minimal")
-    (version "2.2.4")
+    (version "2.2.6")
     (source
      (origin
        (method url-fetch)
@@ -180,7 +180,7 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
                            version "/cups-" version "-source.tar.gz"))
        (sha256
         (base32
-         "1k4qxafmapq6hzbkh273fdyzkj9alw6ppwz5k933bhsi4svlsvar"))))
+         "16qn41b84xz6khrr2pa2wdwlqxr29rrrkjfi618gbgdkq9w5ff20"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index cccbbc8d99..a5869140ff 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -45,15 +46,14 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.55.1")
-   (replacement curl-7.57.0)
+   (version "7.57.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://curl.haxx.se/download/curl-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1dvbcwcar3dv488h9378hy145ma3ws2fwpbr6mgszd7chipcmbry"))))
+              "0y3qbjjcxhcvm1yawp3spfssjbskv0g6gyzld6ckif5pf8ygvxpm"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -69,6 +69,15 @@
        ("groff" ,groff)
        ("pkg-config" ,pkg-config)
        ("python" ,python-2)))
+   (native-search-paths
+    ;; Note: This search path is respected by the `curl` command-line tool only.
+    ;; Ideally we would bake this into libcurl itself so other users can benefit,
+    ;; but it's not supported upstream due to thread safety concerns.
+    (list (search-path-specification
+           (variable "CURL_CA_BUNDLE")
+           (file-type 'regular)
+           (separator #f)                         ;single entry
+           (files '("etc/ssl/certs/ca-certificates.crt")))))
    (arguments
     `(#:configure-flags '("--with-gnutls" "--with-gssapi")
       ;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
@@ -126,19 +135,6 @@ tunneling, and so on.")
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
 
-(define-public curl-7.57.0
-  (package
-    (inherit curl)
-    (version "7.57.0")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append "https://curl.haxx.se/download/curl-"
-                            version ".tar.xz"))
-        (sha256
-         (base32
-          "0y3qbjjcxhcvm1yawp3spfssjbskv0g6gyzld6ckif5pf8ygvxpm"))))))
-
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index c0cf41a5bc..34b77e6651 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -943,7 +943,7 @@ for example from a shell script.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.19.3")
+   (version "3.21.0")
    (source (origin
             (method url-fetch)
             (uri (let ((numeric-version
@@ -959,7 +959,7 @@ for example from a shell script.")
                                   numeric-version ".tar.gz")))
             (sha256
              (base32
-              "00b3l2qglpl1inx21fckiwxnfq5xf6441flc79rqg7zdvh1rq4h6"))))
+              "1qxvzdjwzw6k0kqjfabj86rnq87xdbwbca7laxxdhnh0fmkm3pfp"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
@@ -1928,7 +1928,7 @@ Memory-Mapped Database} (LMDB), a high-performance key-value store.")
              #t)))))
     (native-inputs
      `(("python-pytest-mock" ,python-pytest-mock)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-flexmock" ,python-flexmock)))
     (propagated-inputs
      `(("python-backpack" ,python-backpack)
@@ -2211,14 +2211,15 @@ PickleShare.")
 (define-public python-apsw
   (package
     (name "python-apsw")
-    (version "3.9.2-r1")
+    (version "3.20.1-r1")
     (source
       (origin
         (method url-fetch)
-        (uri (pypi-uri "apsw" version))
+        (uri (string-append "https://github.com/rogerbinns/apsw/archive/"
+                            version ".tar.gz"))
         (sha256
           (base32
-           "0w4jb0wpx785qw42r3h4fh7gl5w2968q48i7gygybsfxck8nzffs"))))
+           "00ai7m2pqi26qaflhz314d8k5i3syw7xzr145fhfl0crhyh6adz2"))))
     (build-system python-build-system)
     (inputs
       `(("sqlite" ,sqlite)))
diff --git a/gnu/packages/display-managers.scm b/gnu/packages/display-managers.scm
index 2f4a8c2d73..6e3d4912de 100644
--- a/gnu/packages/display-managers.scm
+++ b/gnu/packages/display-managers.scm
@@ -208,7 +208,7 @@ create smooth, animated user interfaces.")
 (define-public lightdm
   (package
     (name "lightdm")
-    (version "1.22.0")
+    (version "1.24.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://launchpad.net/lightdm/"
@@ -217,7 +217,7 @@ create smooth, animated user interfaces.")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0a5bvfl2h7r873al6q7c819h0kg564k9fh51rl6489z6lyvazfg4"))))
+                "18j33bm54i8k7ncxcs69zqi4105s62n58jrydqn3ikrb71s9nl6d"))))
     (build-system gnu-build-system)
     (arguments
      '(#:parallel-tests? #f ; fails when run in parallel
diff --git a/gnu/packages/django.scm b/gnu/packages/django.scm
index 4f3e4914fa..936c15d2f7 100644
--- a/gnu/packages/django.scm
+++ b/gnu/packages/django.scm
@@ -155,7 +155,7 @@ with arguments to the field constructor.")
      `(("python-django" ,python-django)
        ("python-setuptools-scm" ,python-setuptools-scm)))
     (propagated-inputs
-     `(("python-pytest" ,python-pytest-3.0)))
+     `(("python-pytest" ,python-pytest)))
     (home-page "http://pytest-django.readthedocs.org/")
     (synopsis "Django plugin for py.test")
     (description "Pytest-django is a plugin for py.test that provides a set of
diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm
index 189ece01ab..ed1e60a7a3 100644
--- a/gnu/packages/docbook.scm
+++ b/gnu/packages/docbook.scm
@@ -136,6 +136,8 @@ by no means limited to these applications.)  This package provides XML DTDs.")
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/docbook/docbook-xsl/"
                                   version "/docbook-xsl-" version ".tar.bz2"))
+              ;; Note: If removing all patches, the XZ dependency is no longer needed.
+              (patches (search-patches "docbook-xsl-nonrecursive-string-subst.patch"))
               (sha256
                (base32
                 "0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj"))))
@@ -145,11 +147,12 @@ by no means limited to these applications.)  This package provides XML DTDs.")
                    (use-modules (guix build utils))
 
                    (let* ((bzip2  (assoc-ref %build-inputs "bzip2"))
+                          (xz     (assoc-ref %build-inputs "xz"))
                           (tar    (assoc-ref %build-inputs "tar"))
                           (source (assoc-ref %build-inputs "source"))
                           (out    (assoc-ref %outputs "out"))
                           (xsl    (string-append out "/xml/xsl")))
-                     (setenv "PATH" (string-append bzip2 "/bin"))
+                     (setenv "PATH" (string-append bzip2 "/bin" ":" xz "/bin"))
                      (system* (string-append tar "/bin/tar") "xvf" source)
 
                      (mkdir-p xsl)
@@ -162,6 +165,7 @@ by no means limited to these applications.)  This package provides XML DTDs.")
                                        name-version "/")))))
                  #:modules ((guix build utils))))
     (native-inputs `(("bzip2" ,bzip2)
+                     ("xz" ,xz)
                      ("tar" ,tar)))
     (home-page "http://docbook.org")
     (synopsis "DocBook XSL style sheets for document authoring")
diff --git a/gnu/packages/documentation.scm b/gnu/packages/documentation.scm
index 9c5ca74d73..c870084746 100644
--- a/gnu/packages/documentation.scm
+++ b/gnu/packages/documentation.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2016 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Kei Kebreau <kkebreau@posteo.net>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -126,7 +127,7 @@ markup) can be customized and extended by the user.")
     (build-system cmake-build-system)
     (native-inputs
      `(("bison" ,bison)
-       ("flex" ,flex)
+       ("flex" ,flex-2.6.1) ; sefaults with 2.6.4
        ("libxml2" ,libxml2) ; provides xmllint for the tests
        ("python" ,python-2))) ; for creating the documentation
     (inputs
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 0c3d5139ac..4464376a1f 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014 Taylan Ulrich Bayirli/Kammer <taylanbayirli@gmail.com>
 ;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015, 2016, 2017 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2015, 2016, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
@@ -254,10 +254,11 @@ editor (console only)")
     (inputs (fold alist-delete
                   (package-inputs emacs)
                   '("libx11" "gtk+" "libxft" "libtiff" "giflib" "libjpeg"
-                    "libpng" "librsvg" "libxpm" "libice" "libsm"
+                    "imagemagick" "libpng" "librsvg" "libxpm" "libice"
+                    "libsm"
 
-                    ;; D-Bus depends on libx11, so remove it as well.
-                    "dbus")))))
+                    ;; These depend on libx11, so remove them as well.
+                    "libotf" "m17n-lib" "dbus")))))
 
 (define-public emacs-no-x-toolkit
   (package (inherit emacs)
diff --git a/gnu/packages/engineering.scm b/gnu/packages/engineering.scm
index 24051baf03..e94aeedf54 100644
--- a/gnu/packages/engineering.scm
+++ b/gnu/packages/engineering.scm
@@ -696,8 +696,6 @@ language.")
                                (string-take commit 7))
                "-DCMAKE_BUILD_TYPE=Release"
                "-DKICAD_SKIP_BOOST=ON"; Use our system's boost library.
-               (string-append "-DCMAKE_INSTALL_LIBDIR="
-                              (assoc-ref %outputs "out") "/lib")
                "-DKICAD_SCRIPTING=ON"
                "-DKICAD_SCRIPTING_MODULES=ON"
                "-DKICAD_SCRIPTING_WXPYTHON=ON"
diff --git a/gnu/packages/file.scm b/gnu/packages/file.scm
index 34a4bba673..0473c519d5 100644
--- a/gnu/packages/file.scm
+++ b/gnu/packages/file.scm
@@ -27,16 +27,15 @@
 
 (define-public file
   (package
-    (replacement file/fixed)
     (name "file")
-    (version "5.30")
+    (version "5.32")
     (source (origin
               (method url-fetch)
               (uri (string-append "ftp://ftp.astron.com/pub/file/file-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "057jpcyy8ws7q4s4sm8r1rxb8xycdbng2z4y9i98f094wlr28k39"))))
+                "0l1bfa0icng9vdwya00ff48fhvjazi5610ylbhl35qi13d6xqfc6"))))
    (build-system gnu-build-system)
 
    ;; When cross-compiling, this package depends upon a native install of
@@ -50,11 +49,4 @@ you in words what kind of data a file contains.  It does not rely on filename
 extensions to tell you the type of a file, but looks at the actual contents
 of the file.  This package provides the libmagic library.")
    (license bsd-2)
-   (home-page "http://www.darwinsys.com/file/")))
-
-(define file/fixed
-  (package
-    (inherit file)
-    (source (origin
-              (inherit (package-source file))
-              (patches (search-patches "file-CVE-2017-1000249.patch"))))))
+   (home-page "https://www.darwinsys.com/file/")))
diff --git a/gnu/packages/fltk.scm b/gnu/packages/fltk.scm
index 1c257abbec..af7186ab7f 100644
--- a/gnu/packages/fltk.scm
+++ b/gnu/packages/fltk.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
+;;; Copyright © 2018 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -50,6 +51,8 @@
       (patches (search-patches "fltk-shared-lib-defines.patch"
                                "fltk-xfont-on-demand.patch"))))
    (build-system gnu-build-system)
+   (native-inputs
+    `(("pkg-config" ,pkg-config)))
    (inputs
     `(("libjpeg" ,libjpeg-8)     ;jpeg_read_header argument error in libjpeg-9
       ("libpng" ,libpng)
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 19d5171956..d34b4b42f9 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -53,13 +53,13 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.8")
+   (version "2.8.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://savannah/freetype/freetype-"
                                 version ".tar.bz2"))
             (sha256 (base32
-                     "02xlj611alpvl3h33hvfw1jyxc1vp9mzwcckkiglkhn3hknh7im3"))))
+                     "0y3xrimgp0k39gwq1vdi7b7wjy0z9fhwmzafisxqfardw015yhz5"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("pkg-config" ,pkg-config)))
@@ -230,20 +230,21 @@ fonts to/from the WOFF2 format.")
 (define-public fontconfig
   (package
    (name "fontconfig")
-   (version "2.12.3")
+   (version "2.12.6")
    (source (origin
             (method url-fetch)
             (uri (string-append
                    "https://www.freedesktop.org/software/fontconfig/release/fontconfig-"
                    version ".tar.bz2"))
+            (patches (search-patches "fontconfig-remove-debug-printf.patch"))
             (sha256 (base32
-                     "1ggq6jmz3mlzk4xjs615aqw9h3hq33chjn82bhli26kk09kby95x"))))
+                     "05zh65zni11kgnhg726gjbrd55swspdvhqbcnj5a5xh8gn03036g"))))
    (build-system gnu-build-system)
    (propagated-inputs `(("expat" ,expat)
                         ("freetype" ,freetype)))
    (inputs `(("gs-fonts" ,gs-fonts)))
    (native-inputs
-    `(("gperf" ,gperf) ; Try dropping this for > 2.12.3.
+    `(("gperf" ,gperf)
       ("pkg-config" ,pkg-config)))
    (arguments
     `(#:configure-flags
@@ -262,13 +263,6 @@ fonts to/from the WOFF2 format.")
             "PYTHON=false")
       #:phases
       (modify-phases %standard-phases
-        (add-before 'configure 'regenerate-fcobjshash
-          ;; XXX The pre-generated gperf files are broken.
-          ;; See <https://bugs.freedesktop.org/show_bug.cgi?id=101280>.
-          (lambda _
-            (delete-file "src/fcobjshash.h")
-            (delete-file "src/fcobjshash.gperf")
-            #t))
         (replace 'install
                  (lambda _
                    ;; Don't try to create /var/cache/fontconfig.
@@ -412,7 +406,8 @@ and returns a sequence of positioned glyphids from the font.")
                           "/potrace-" version ".tar.gz"))
       (sha256
        (base32
-        "17ajildjp14shsy339xarh1lw1p0k60la08ahl638a73mh23kcx9"))))
+        "17ajildjp14shsy339xarh1lw1p0k60la08ahl638a73mh23kcx9"))
+      (patches (search-patches "potrace-tests.patch"))))
     (build-system gnu-build-system)
     (native-inputs `(("ghostscript" ,ghostscript))) ;for tests
     (inputs `(("zlib" ,zlib)))
@@ -442,6 +437,8 @@ resolution.")
               (sha256
                (base32 "0239zvfan56w7vrppriwy77fzb10ag9llaz15nsraps2a2x6di3v"))))
     (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
     (propagated-inputs
      `(("freetype" ,freetype)))
     (home-page "http://www.nongnu.org/m17n/")
@@ -556,7 +553,11 @@ definitions.")
                           "libxml2" "zlib" "libspiro" "freetype"
                           "pango" "cairo" "fontconfig")))
                 ;; Checks for potrace program at runtime
-                `("PATH" ":" prefix (,potrace)))))))))
+                `("PATH" ":" prefix (,potrace)))))))
+
+      ;; Skip test 40 "FontForge .sfd file open check" to work around
+      ;; <https://github.com/fontforge/fontforge/issues/3246>.
+      #:make-flags '("TESTSUITEFLAGS=-k '!\\.sfd'")))
    (synopsis "Outline font editor")
    (description
     "FontForge allows you to create and modify postscript, truetype and
@@ -582,7 +583,7 @@ generate bitmaps.")
      `(("python2-fonttools" ,python2-fonttools)))
     (native-inputs
      `(("unzip" ,unzip)
-       ("python2-pytest-3.0" ,python2-pytest-3.0)
+       ("python2-pytest" ,python2-pytest)
        ("python2-pytest-runner" ,python2-pytest-runner)))
     (home-page "https://github.com/unified-font-object/ufoLib")
     (synopsis "Low-level UFO reader and writer")
@@ -607,7 +608,7 @@ files.  UFO is a file format that stores fonts source files.")
      `(#:python ,python-2))
     (native-inputs
      `(("unzip" ,unzip)
-       ("python2-pytest-3.0" ,python2-pytest-3.0)
+       ("python2-pytest" ,python2-pytest)
        ("python2-pytest-runner" ,python2-pytest-runner)))
     (propagated-inputs
      `(("python2-fonttools" ,python2-fonttools)
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index e917be7505..63adb4d076 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -259,6 +259,12 @@ the freedesktop.org XDG Base Directory specification.")
        #:make-flags '("PKTTYAGENT=/run/current-system/profile/bin/pkttyagent")
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'patch-locale-header
+           (lambda _
+             ;; Fix compilation with glibc >= 2.26, which removed xlocale.h.
+             ;; This can be removed for elogind 234.
+             (substitute* "src/basic/parse-util.c"
+               (("xlocale\\.h") "locale.h"))))
          (add-before 'configure 'autogen
            (lambda _
              (and (zero? (system* "intltoolize" "--force" "--automake"))
@@ -416,28 +422,17 @@ Python.")
 (define-public wayland
   (package
     (name "wayland")
-    (version "1.13.0")
+    (version "1.14.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://wayland.freedesktop.org/releases/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0lgywr1m0d79vr4s8aimj8a307nss29hhy68gjpqj7m667055c39"))))
+                "1f3sla6h0bw15fz8pjc67jhwj7pwmfdc7qlj42j5k9v116ycm07d"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:parallel-tests? #f
-       #:phases
-       (modify-phases %standard-phases
-         ;; Remove record shapes to workaround graphviz 2.40.1 problems.
-         ;; http://www.graphviz.org/content/i-havent-been-able-render-these-files-graphviz-226
-         ;; This will likely be fixed upstream in the next release.
-         ;; https://lists.freedesktop.org/archives/wayland-devel/2017-June/034218.html
-         (add-before 'build 'fix-graphviz
-           (lambda _
-             (substitute* "doc/doxygen/dot/x-architecture.gv"
-               (("Mrecord") "none"))
-             #t)))))
+     `(#:parallel-tests? #f))
     (native-inputs
      `(("doxygen" ,doxygen)
        ("graphviz" ,graphviz)
@@ -463,7 +458,7 @@ applications, X servers (rootless or fullscreen) or other display servers.")
 (define-public wayland-protocols
   (package
     (name "wayland-protocols")
-    (version "1.9")
+    (version "1.12")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -471,7 +466,7 @@ applications, X servers (rootless or fullscreen) or other display servers.")
                     "wayland-protocols-" version ".tar.xz"))
               (sha256
                (base32
-                "0xag2yci0l13brmq2k12vdv0wlnb2j0rxk2cnp170fya63g74sv6"))))
+                "1cn8ny4zr9xlcdh8qi1qnkmvia8cp4ixnsbhd9sp9571w6lyh69v"))))
     (build-system gnu-build-system)
     (inputs
      `(("wayland" ,wayland)))
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index 1213d87a54..2971644ddc 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -136,6 +136,7 @@
   #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages icu4c)
   #:use-module (gnu packages networking)
+  #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system haskell)
@@ -1544,9 +1545,13 @@ either by Infocom or created using the Inform compiler.")
        #:phases
        (modify-phases %standard-phases
          (replace 'configure
-           (lambda* (#:key outputs #:allow-other-keys)
+           (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out"))
-                    (etc (string-append out "/etc")))
+                    (etc (string-append out "/etc"))
+                    (vulkan (assoc-ref inputs "vulkan-icd-loader")))
+               ;; Hard-code the path to libvulkan.so.
+               (substitute* "gfx/common/vulkan_common.c"
+                 (("libvulkan.so") (string-append vulkan "/lib/libvulkan.so")))
                (substitute* "qb/qb.libs.sh"
                  (("/bin/true") (which "true")))
                ;; The configure script does not yet accept the extra arguments
@@ -1569,6 +1574,7 @@ either by Infocom or created using the Inform compiler.")
        ("python" ,python)
        ("sdl" ,sdl2)
        ("udev" ,eudev)
+       ("vulkan-icd-loader" ,vulkan-icd-loader)
        ("wayland", wayland)
        ("zlib" ,zlib)))
     (native-inputs
@@ -2833,9 +2839,6 @@ Transport Tycoon Deluxe.")
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f ;; no tests available
-       #:configure-flags
-        (list (string-append "-DCMAKE_INSTALL_LIBDIR="
-                       (assoc-ref %outputs "out") "/lib"))
        #:phases
         (modify-phases %standard-phases
           (add-after 'unpack 'fix-usr-share-paths
@@ -3340,13 +3343,7 @@ Super Game Boy, BS-X Satellaview, and Sufami Turbo.")
      `(#:tests? #f                      ;no "test" target
        #:configure-flags
        (list "-DUSE_LZMA=OFF"           ;do not use bundled LZMA
-             "-DUSE_LIBZIP=OFF"         ;use "zlib" instead
-             ;; Validate RUNPATH phase fails ("error: depends on
-             ;; 'libmgba.so.0.6', which cannot be found in RUNPATH") without
-             ;; the following S-exp.
-             (string-append "-DCMAKE_INSTALL_LIBDIR="
-                            (assoc-ref %outputs "out")
-                            "/lib"))))
+             "-DUSE_LIBZIP=OFF")))      ;use "zlib" instead
     (native-inputs `(("pkg-config" ,pkg-config)))
     (inputs `(("ffmpeg" ,ffmpeg)
               ("imagemagick" ,imagemagick)
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index ad8992289d..b1fc32b028 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -65,6 +65,14 @@ where the OS part is overloaded to denote a specific ABI---into GCC
            "--with-mode=thumb"
            "--with-fpu=neon"))
 
+        ((and (string-suffix? "-gnu" target)
+              (not (string-contains target "-linux")))
+         ;; Cross-compilation of libcilkrts in GCC 5.5.0 to GNU/Hurd fails
+         ;; with:
+         ;;   libcilkrts/runtime/os-unix.c:388:2: error: #error "Unknown architecture"
+         ;; Cilk has been removed from GCC 8 anyway.
+         '("--disable-libcilkrts"))
+
         (else
          ;; TODO: Add `arm.*-gnueabi', etc.
          '())))
@@ -80,8 +88,8 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                   (map (lambda (var tool)
                          (string-append (string-append var "_FOR_TARGET")
                                         "=" target "-" tool))
-                       '("CC"  "CXX" "LD" "AR" "NM" "RANLIB" "STRIP")
-                       '("gcc" "g++" "ld" "ar" "nm" "ranlib" "strip"))
+                       '("CC"  "CXX" "LD" "AR" "NM" "OBJDUMP" "RANLIB" "STRIP")
+                       '("gcc" "g++" "ld" "ar" "nm" "objdump" "ranlib" "strip"))
                   '()))))
          (libdir
           (let ((base '(or (assoc-ref outputs "lib")
@@ -139,7 +147,8 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                (patches (search-patches "gcc-4-compile-with-gcc-5.patch"))
                (sha256
                 (base32
-                 "10k2k71kxgay283ylbbhhs51cl55zn2q38vj5pk4k950qdnirrlj"))))
+                 "10k2k71kxgay283ylbbhhs51cl55zn2q38vj5pk4k950qdnirrlj"))
+               (patches (search-patches "gcc-fix-texi2pod.patch"))))
       (build-system gnu-build-system)
 
       ;; Separate out the run-time support libraries because all the
@@ -156,7 +165,8 @@ where the OS part is overloaded to denote a specific ABI---into GCC
 
       ;; GCC < 5 is one of the few packages that doesn't ship .info files.
       ;; Newer texinfos fail to build the manual, so we use an older one.
-      (native-inputs `(("texinfo" ,texinfo-5)))
+      (native-inputs `(("perl" ,perl)   ;for manpages
+                       ("texinfo" ,texinfo-5)))
 
       (arguments
        `(#:out-of-source? #t
@@ -352,7 +362,20 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "08yggr18v373a1ihj0rg2vd6psnic42b518xcgp3r9k81xz1xyr2"))
-              (patches (search-patches "gcc-arm-link-spec-fix.patch"))))
+              (patches (search-patches "gcc-arm-link-spec-fix.patch"
+                                       "gcc-asan-missing-include.patch"
+                                       "gcc-fix-texi2pod.patch"))
+              (modules '((guix build utils)))
+              ;; This is required for building with glibc-2.26.
+              ;; https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81712
+              (snippet
+               '(for-each
+                  (lambda (dir)
+                    (substitute* (string-append "libgcc/config/"
+                                                dir "/linux-unwind.h")
+                      (("struct ucontext") "ucontext_t")))
+                  '("aarch64" "alpha" "bfin" "i386" "m68k"
+                    "pa" "sh" "tilepro" "xtensa")))))
     (supported-systems %supported-systems)
     (inputs
      `(("isl" ,isl-0.11)
@@ -370,31 +393,57 @@ Go.  It also includes runtime support libraries for these languages.")
                (base32
                 "14l06m7nvcvb0igkbip58x59w3nq6315k6jcz3wr9ch1rn9d44bc"))
               (patches (search-patches "gcc-arm-bug-71399.patch"
-                                       "gcc-libvtv-runpath.patch"))))
-    (native-inputs `(("texinfo" ,texinfo)))))
+                                       "gcc-asan-missing-include.patch"
+                                       "gcc-libvtv-runpath.patch"
+                                       "gcc-fix-texi2pod.patch"))
+              (modules '((guix build utils)))
+              ;; This is required for building with glibc-2.26.
+              ;; https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81712
+              (snippet
+               '(for-each
+                  (lambda (dir)
+                    (substitute* (string-append "libgcc/config/"
+                                                dir "/linux-unwind.h")
+                      (("struct ucontext") "ucontext_t")))
+                  '("aarch64" "alpha" "bfin" "i386" "m68k" "nios2"
+                    "pa" "sh" "tilepro" "xtensa")))))
+    ;; Override inherited texinfo-5 with latest version.
+    (native-inputs `(("perl" ,perl)   ;for manpages
+                     ("texinfo" ,texinfo)))))
 
 (define-public gcc-5
   ;; Note: GCC >= 5 ships with .info files but 'make install' fails to install
   ;; them in a VPATH build.
   (package (inherit gcc-4.9)
-    (version "5.4.0")
+    (version "5.5.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gcc/gcc-"
-                                  version "/gcc-" version ".tar.bz2"))
+                                  version "/gcc-" version ".tar.xz"))
               (sha256
                (base32
-                "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0"))
+                "11zd1hgzkli3b2v70qsm2hyqppngd4616qc96lmm9zl2kl9yl32k"))
               (patches (search-patches "gcc-arm-bug-71399.patch"
                                        "gcc-strmov-store-file-names.patch"
-                                       "gcc-asan-powerpc-missing-include.patch"
                                        "gcc-5.0-libvtv-runpath.patch"
                                        "gcc-5-source-date-epoch-1.patch"
-                                       "gcc-5-source-date-epoch-2.patch"))))))
-    ;; TODO: gcc-5 doesn't need cloog.
-    ;;(inputs
-    ;; `(("isl" ,isl)
-    ;;   ,@(package-inputs gcc-4.7)))))
+                                       "gcc-5-source-date-epoch-2.patch"
+                                       "gcc-fix-texi2pod.patch"))
+              (modules '((guix build utils)))
+              (snippet
+               ;; Fix 'libcc1/configure' error when cross-compiling GCC.
+               ;; Without that, 'libcc1/configure' wrongfully determines that
+               ;; '-rdynamic' support is missing because $gcc_cv_objdump is
+               ;; empty:
+               ;;
+               ;;   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67590
+               ;;   http://cgit.openembedded.org/openembedded-core/commit/?id=f6e47aa9b12f9ab61530c40e0343f451699d9077
+               '(substitute* "libcc1/configure"
+                  (("\\$gcc_cv_objdump -T")
+                   "$OBJDUMP_FOR_TARGET -T")))))
+    (inputs
+     `(("isl" ,isl)
+       ,@(package-inputs gcc-4.7)))))
 
 (define-public gcc-6
   (package
@@ -407,10 +456,23 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "1m0lr7938lw5d773dkvwld90hjlcq2282517d1gwvrfzmwgg42w5"))
-              (patches (search-patches "gcc-strmov-store-file-names.patch"
+              (patches (search-patches "gcc-libsanitizer-fix.patch"
+                                       "gcc-strmov-store-file-names.patch"
                                        "gcc-6-source-date-epoch-1.patch"
                                        "gcc-6-source-date-epoch-2.patch"
-                                       "gcc-5.0-libvtv-runpath.patch"))))
+                                       "gcc-5.0-libvtv-runpath.patch"))
+              (modules '((guix build utils)))
+              ;; This is required for building with glibc-2.26.
+              ;; This can be removed when gcc-6.5.0 is released.
+              ;; https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81712
+              (snippet
+               '(for-each
+                  (lambda (dir)
+                    (substitute* (string-append "libgcc/config/"
+                                                dir "/linux-unwind.h")
+                      (("struct ucontext") "ucontext_t")))
+                  '("aarch64" "alpha" "bfin" "i386" "m68k" "nios2"
+                    "pa" "sh" "tilepro" "xtensa")))))
     (inputs
      `(("isl" ,isl)
        ,@(package-inputs gcc-4.7)))))
diff --git a/gnu/packages/gettext.scm b/gnu/packages/gettext.scm
index 76c01b1e09..51b772a586 100644
--- a/gnu/packages/gettext.scm
+++ b/gnu/packages/gettext.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -47,12 +48,18 @@
              (sha256
               (base32
                "0hsw28f9q9xaggjlsdp2qmbp2rbd1mp0njzan2ld9kiqwkq2m57z"))
-             ;; test-lock has performance issues on multi-core machines,
-             ;; it hangs or takes a long time to complete.
-             ;; There is one commit in gettext and one commit
-             ;; in gettext's embedded gnulib to fix this issue.
-             (patches (search-patches "gettext-multi-core.patch"
-                                      "gettext-gnulib-multi-core.patch"))))
+             (modules '((guix build utils)))
+             (snippet
+              '(begin
+                ;; The gnulib test-lock test is prone to writer starvation
+                ;; with our glibc@2.25, which prefers readers, so disable it.
+                ;; The gnulib commit b20e8afb0b2 should fix this once
+                ;; incorporated here.
+                 (substitute* "gettext-runtime/tests/Makefile.in"
+                   (("TESTS = test-lock\\$\\(EXEEXT\\)") "TESTS ="))
+                 (substitute* "gettext-tools/gnulib-tests/Makefile.in"
+                  (("test-lock\\$\\(EXEEXT\\) ") ""))
+                 #t))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of HTML
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index f0a28d0752..0561387931 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -101,23 +101,23 @@ paper size.")
    (arguments
     `(#:tests? #f ; none provided
       #:phases
-      (alist-replace
-       'configure
-       (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
-        (let ((perl (assoc-ref inputs "perl"))
-              (out (assoc-ref outputs "out")))
-         (copy-file "Makefile.unix" "Makefile")
-         (substitute* "Makefile"
-           (("/usr/local/bin/perl") (string-append perl "/bin/perl")))
-         (substitute* "Makefile"
-           (("/usr/local") out))
-         ;; for the install phase
-         (substitute* "Makefile"
-           (("-mkdir") "mkdir -p"))
-         ;; drop installation of non-free files
-         (substitute* "Makefile"
-           ((" install.include") ""))))
-      %standard-phases)))
+      (modify-phases %standard-phases
+        (replace 'configure
+          (lambda* (#:key inputs outputs #:allow-other-keys #:rest args)
+           (let ((perl (assoc-ref inputs "perl"))
+                 (out (assoc-ref outputs "out")))
+            (copy-file "Makefile.unix" "Makefile")
+            (substitute* "Makefile"
+              (("/usr/local/bin/perl") (string-append perl "/bin/perl")))
+            (substitute* "Makefile"
+              (("/usr/local") out))
+            ;; for the install phase
+            (substitute* "Makefile"
+              (("-mkdir") "mkdir -p"))
+            ;; drop installation of non-free files
+            (substitute* "Makefile"
+              ((" install.include") "")))
+           #t)))))
    (synopsis "Collection of utilities for manipulating PostScript documents")
    (description
     "PSUtils is a collection of utilities for manipulating PostScript
@@ -132,8 +132,7 @@ printing, and psresize, for adjusting page sizes.")
 (define-public ghostscript
   (package
     (name "ghostscript")
-    (replacement ghostscript-9.22)
-    (version "9.21")
+    (version "9.22")
     (source
       (origin
         (method url-fetch)
@@ -143,9 +142,8 @@ printing, and psresize, for adjusting page sizes.")
                             "/ghostscript-" version ".tar.xz"))
         (sha256
          (base32
-          "0lyhjcrkmd5fcmh8h56bs4xr9k4jasmikv5vsix1hd4ai0ad1q9b"))
+          "1fyi4yvdj39bjgs10klr31cda1fbx1ar7a7b7yz7v68gykk65y61"))
         (patches (search-patches "ghostscript-runpath.patch"
-                                 "ghostscript-CVE-2017-8291.patch"
                                  "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
@@ -256,25 +254,6 @@ output file formats and printers.")
     (home-page "https://www.ghostscript.com/")
     (license license:agpl3+)))
 
-(define ghostscript-9.22
-  (package
-    (inherit ghostscript)
-    (version "9.22")
-    (source
-      (origin
-        (inherit (package-source ghostscript))
-        (uri (string-append "https://github.com/ArtifexSoftware/"
-                            "ghostpdl-downloads/releases/download/gs"
-                            (string-delete #\. version)
-                            "/ghostscript-" version ".tar.xz"))
-        (sha256
-         (base32
-          "1fyi4yvdj39bjgs10klr31cda1fbx1ar7a7b7yz7v68gykk65y61"))
-        (patches (search-patches "ghostscript-runpath.patch"
-                                 "ghostscript-no-header-creationdate.patch"
-                                 "ghostscript-no-header-id.patch"
-                                 "ghostscript-no-header-uuid.patch"))))))
-
 (define-public ghostscript/x
   (package/inherit ghostscript
     (name (string-append (package-name ghostscript) "-with-x"))
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index 421e946bed..125448f9e1 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -6,7 +6,7 @@
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Copyright © 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
-;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
@@ -160,6 +160,8 @@ the X-Consortium license.")
     (inputs `(("libx11" ,libx11)
               ("mesa" ,mesa)
               ("glu" ,glu)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
     (home-page "http://ftgl.sourceforge.net")
     (synopsis "Font rendering library for OpenGL applications")
     (description
@@ -220,7 +222,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "17.2.1")
+    (version "17.3.1")
     (source
       (origin
         (method url-fetch)
@@ -232,7 +234,7 @@ also known as DXTn or DXTC) for Mesa.")
                                   version "/mesa-" version ".tar.xz")))
         (sha256
          (base32
-          "07msr6xismw2jq87irwhz7vygvzj6hi38d71paij9zvwh8bmsf3p"))
+          "1h94m2nkxa1y4n415d5idk2x2lkgbvjcikv6r2r6yn4ak7h0grls"))
         (patches
          (search-patches "mesa-wayland-egl-symbols-check-mips.patch"
                          "mesa-skip-disk-cache-test.patch"))))
@@ -263,12 +265,12 @@ also known as DXTn or DXTC) for Mesa.")
              `()))
         ("makedepend" ,makedepend)
         ("presentproto" ,presentproto)
-        ("s2tc" ,s2tc)
         ("wayland" ,wayland)
         ("wayland-protocols" ,wayland-protocols)))
     (native-inputs
       `(("pkg-config" ,pkg-config)
         ("python" ,python-2)
+        ("python2-mako" ,python2-mako)
         ("which" ,(@ (gnu packages base) which))))
     (arguments
      `(#:configure-flags
@@ -278,9 +280,9 @@ also known as DXTn or DXTC) for Mesa.")
               '("--with-gallium-drivers=freedreno,nouveau,r300,r600,swrast,vc4,virgl"))
              ("aarch64-linux"
               ;; TODO: Fix svga driver for aarch64 and armhf.
-              '("--with-gallium-drivers=freedreno,nouveau,r300,r600,swrast,vc4,virgl"))
+              '("--with-gallium-drivers=freedreno,nouveau,pl111,r300,r600,swrast,vc4,virgl"))
              (_
-              '("--with-gallium-drivers=i915,nouveau,r300,r600,svga,swrast,virgl")))
+              '("--with-gallium-drivers=i915,nouveau,r300,r600,radeonsi,svga,swrast,virgl")))
          ;; Enable various optional features.  TODO: opencl requires libclc,
          ;; omx requires libomxil-bellagio
          "--with-platforms=x11,drm,wayland,surfaceless"
@@ -297,6 +299,16 @@ also known as DXTn or DXTC) for Mesa.")
          ;; are stuck at OpenGL 2.1 instead of OpenGL 3.0+.
          "--enable-texture-float"
 
+         ;; Enable Vulkan on i686-linux and x86-64-linux.
+         ,@(match (%current-system)
+             ("x86_64-linux"
+              '("--with-vulkan-drivers=intel,radeon"))
+             ;; TODO: Fix intel driver on i686-linux.
+             ("i686-linux"
+              '("--with-vulkan-drivers=radeon"))
+             (_
+              '("")))
+
          ;; Also enable the tests.
          "--enable-gallium-tests"
 
@@ -308,6 +320,10 @@ also known as DXTn or DXTC) for Mesa.")
                 "--enable-llvm"))         ; default is x86/x86_64 only
              (_
               '("--with-dri-drivers=nouveau,r200,radeon,swrast"))))
+       #:modules ((ice-9 match)
+                  (srfi srfi-1)
+                  (guix build utils)
+                  (guix build gnu-build-system))
        #:phases
        (modify-phases %standard-phases
          (add-after
@@ -342,13 +358,48 @@ also known as DXTn or DXTC) for Mesa.")
                  ;; egl_gallium support.
                  (("\"gbm_dri\\.so")
                   (string-append "\"" out "/lib/dri/gbm_dri.so")))
+               #t)))
+         (add-after 'install 'symlinks-instead-of-hard-links
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; All the drivers and gallium targets create hard links upon
+             ;; installation (search for "hardlink each megadriver instance"
+             ;; in the makefiles).  This is no good for us since we'd produce
+             ;; nars that contain several copies of these files.  Thus, turn
+             ;; them into symlinks, which saves ~124 MiB.
+             (let* ((out    (assoc-ref outputs "out"))
+                    (lib    (string-append out "/lib"))
+                    (files  (find-files lib
+                                        (lambda (file stat)
+                                          (and (string-contains file ".so")
+                                               (eq? 'regular
+                                                    (stat:type stat))))))
+                    (inodes (map (compose stat:ino stat) files)))
+               (for-each (lambda (inode)
+                           (match (filter-map (match-lambda
+                                                ((file ino)
+                                                 (and (= ino inode) file)))
+                                              (zip files inodes))
+                             ((_)
+                              #f)
+                             ((reference others ..1)
+                              (format #t "creating ~a symlinks to '~a'~%"
+                                      (length others) reference)
+                              (for-each delete-file others)
+                              (for-each (lambda (file)
+                                          (if (string=? (dirname file)
+                                                        (dirname reference))
+                                              (symlink (basename reference)
+                                                       file)
+                                              (symlink reference file)))
+                                        others))))
+                         (delete-duplicates inodes))
                #t))))))
     (home-page "https://mesa3d.org/")
-    (synopsis "OpenGL implementation")
-    (description "Mesa is a free implementation of the OpenGL specification -
-a system for rendering interactive 3D graphics.  A variety of device drivers
-allows Mesa to be used in many different environments ranging from software
-emulation to complete hardware acceleration for modern GPUs.")
+    (synopsis "OpenGL and Vulkan implementations")
+    (description "Mesa is a free implementation of the OpenGL and Vulkan
+specifications - systems for rendering interactive 3D graphics.  A variety of
+device drivers allows Mesa to be used in many different environments ranging
+from software emulation to complete hardware acceleration for modern GPUs.")
     (license license:x11)))
 
 (define-public mesa-headers
@@ -696,9 +747,10 @@ mixed vector/bitmap output.")
          "0rnid3hwrry9d5d4m7sygq00xxx976rgk00a3557m9r5kxbmy476"))))
     (arguments
      `(#:tests? #f ;; no tests are available
-       #:configure-flags (list "-DVGL_USESSL=1" ;; use OpenSSL
-                          (string-append "-DCMAKE_INSTALL_LIBDIR="
-                                         (assoc-ref %outputs "out") "/lib"))))
+       #:configure-flags (list
+                           (string-append "-DCMAKE_INSTALL_LIBDIR="
+                                          (assoc-ref %outputs "out") "/lib")
+                           "-DVGL_USESSL=1"))) ;; use OpenSSL
     (build-system cmake-build-system)
     (inputs `(("glu" ,glu)
               ("libjpeg-turbo" ,libjpeg-turbo)
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 3b818164dc..5603e40379 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -72,7 +72,7 @@
 (define dbus
   (package
     (name "dbus")
-    (version "1.10.22")
+    (version "1.12.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -80,7 +80,7 @@
                     version ".tar.gz"))
               (sha256
                (base32
-                "15vv9gz5i4f5l7h0d045qz5iyvl89hjk2k83lb4vbizd7qg41cg2"))
+                "121xm3cy48vbv6nv522lfkk4zyiqc1g6v4lb3344gc3h2w4vaar7"))
               (patches (search-patches "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -142,7 +142,7 @@ shared NFS home directories.")
 (define glib
   (package
    (name "glib")
-   (version "2.52.3")
+   (version "2.54.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -150,8 +150,9 @@ shared NFS home directories.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0a71wkkhkvad84gm30w13micxxgqqw3sxhybj7nd9z60lwspdvi5"))
-            (patches (search-patches "glib-tests-timer.patch"))))
+              "0v4ffl172kbqgxrhgxyafhpw36bq3iklb2zjqyl6jcfkmb2yb2dv"))
+            (patches (search-patches "glib-respect-datadir.patch"
+                                     "glib-tests-timer.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"           ; everything
               "bin"           ; glib-mkenums, gtester, etc.; depends on Python
@@ -170,9 +171,9 @@ shared NFS home directories.")
       ("python" ,python-wrapper)
       ("perl" ,perl)                              ; needed by GIO tests
       ("bash" ,bash)
-      ("tzdata" ,tzdata-2017a)))                  ; for tests/gdatetime.c
+      ("tzdata" ,tzdata-for-tests)))                  ; for tests/gdatetime.c
    (arguments
-    `(#:disallowed-references (,tzdata-2017a)
+    `(#:disallowed-references (,tzdata-for-tests)
       #:phases
       (modify-phases %standard-phases
         (add-before 'build 'pre-build
@@ -252,12 +253,7 @@ shared NFS home directories.")
 
                      ("gio/tests/gdbus-unix-addresses.c"
                       (;; Requires /etc/machine-id.
-                       "/gdbus/x11-autolaunch"))
-
-                     ("glib/tests/gdatetime.c"
-                      (;; Assumes that the Brasilian time zone is named 'BRT',
-                       ;; which is no longer true as of tzdata-2017a.
-                       "/GDateTime/new_full")))))
+                       "/gdbus/x11-autolaunch")))))
               (and-map (lambda (x) (apply disable x)) failing-tests)))))
 
       ;; Note: `--docdir' and `--htmldir' are not honored, so work around it.
@@ -289,19 +285,19 @@ shared NFS home directories.")
 and interfaces for such runtime functionality as an event loop, threads,
 dynamic loading, and an object system.")
    (home-page "https://developer.gnome.org/glib/")
-   (license license:lgpl2.0+)))                        ; some files are under lgpl2.1+
+   (license license:lgpl2.1+)))
 
 (define gobject-introspection
   (package
     (name "gobject-introspection")
-    (version "1.52.1")
+    (version "1.54.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnome/sources/"
                    "gobject-introspection/" (version-major+minor version)
                    "/gobject-introspection-" version ".tar.xz"))
              (sha256
-              (base32 "1x5gkyrglv3dn9b4fsgw6asqgjw1wj7qc37g9pyac6pyaa6w7l1f"))
+              (base32 "0zl7pfkzkm07733391b4f3cwjbnvb1nwvpmajf5bajh6bxgfv3dq"))
              (modules '((guix build utils)))
              (snippet
               '(substitute* "tools/g-ir-tool-template.in"
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 0a707b2acf..8ddc022546 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2014, 2015 Federico Beffa <beffa@fbengineering.ch>
@@ -9,7 +9,7 @@
 ;;; Copyright © 2015, 2017 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
 ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 David Thompson <davet@gnu.org>
 ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2017 Rene Saavedra <rennes@openmailbox.org>
@@ -686,7 +686,15 @@ GNOME Desktop.")
                               "/manpages/docbook.xsl")))
             (setenv "XML_CATALOG_FILES"
                     (string-append (assoc-ref inputs "docbook-xml")
-                                   "/xml/dtd/docbook/catalog.xml")))))))
+                                   "/xml/dtd/docbook/catalog.xml"))
+
+            ;; Rerun the whole thing to avoid version mismatch ("This is
+            ;; Automake 1.15.1, but the definition used by this
+            ;; AM_INIT_AUTOMAKE comes from Automake 1.15.").  Note: we don't
+            ;; use 'autoreconf' because it insists on running 'libtoolize'.
+            (invoke "autoconf")
+            (invoke "aclocal")
+            (invoke "automake" "-ac"))))))
     (inputs
      `(("libgcrypt" ,libgcrypt)
        ("linux-pam" ,linux-pam)
@@ -1182,7 +1190,7 @@ dealing with different structured file formats.")
 (define-public librsvg
   (package
     (name "librsvg")
-    (version "2.40.18")
+    (version "2.40.20")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnome/sources/" name "/"
@@ -1190,24 +1198,38 @@ dealing with different structured file formats.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0k2nbd4g31qinkdfd8r5c5ih2ixl85fbkgkqqh9747lwr24c9j5z"))))
+                "0ay9himvw1l1swcf3h1312d2iqzfl65kpbfgiyfykgvq7cydvx6g"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
-       (alist-cons-before
-        'configure 'pre-configure
-        (lambda* (#:key inputs #:allow-other-keys)
-          (substitute* "gdk-pixbuf-loader/Makefile.in"
-            ;; By default the gdk-pixbuf loader is installed under
-            ;; gdk-pixbuf's prefix.  Work around that.
-            (("gdk_pixbuf_moduledir = .*$")
-             (string-append "gdk_pixbuf_moduledir = "
-                            "$(prefix)/lib/gdk-pixbuf-2.0/2.10.0/"
-                             "loaders\n"))
-            ;; Drop the 'loaders.cache' file, it's in gdk-pixbuf+svg.
-            (("gdk_pixbuf_cache_file = .*$")
-             "gdk_pixbuf_cache_file = $(TMPDIR)/loaders.cache\n")))
-        %standard-phases)))
+       (modify-phases %standard-phases
+         (add-before 'configure 'pre-configure
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "gdk-pixbuf-loader/Makefile.in"
+               ;; By default the gdk-pixbuf loader is installed under
+               ;; gdk-pixbuf's prefix.  Work around that.
+               (("gdk_pixbuf_moduledir = .*$")
+                (string-append "gdk_pixbuf_moduledir = "
+                               "$(prefix)/lib/gdk-pixbuf-2.0/2.10.0/"
+                                "loaders\n"))
+               ;; Drop the 'loaders.cache' file, it's in gdk-pixbuf+svg.
+               (("gdk_pixbuf_cache_file = .*$")
+                "gdk_pixbuf_cache_file = $(TMPDIR)/loaders.cache\n"))
+             #t))
+         (add-after 'unpack 'remove-failing-tests
+           (lambda _
+             (with-directory-excursion "tests/fixtures/reftests"
+               (for-each delete-file
+                         '(;; This test fails on i686:
+                           "svg1.1/masking-path-04-b.svg"
+                           "svg1.1/masking-path-04-b-ref.png"
+                           ;; This test fails on armhf:
+                           "svg1.1/masking-mask-01-b.svg"
+                           "svg1.1/masking-mask-01-b-ref.png"
+                           ;; This test fails on aarch64:
+                           "bugs/777834-empty-text-children.svg"
+                           "bugs/777834-empty-text-children-ref.png")))
+             #t)))))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("glib" ,glib "bin")                               ; glib-mkenums, etc.
@@ -1470,7 +1492,8 @@ to access local and remote files with a single consistent API.")
                                   name "-" version ".tar.bz2"))
               (sha256
                (base32
-                "197pnq8y0knqjhm2fg4j6hbqqm3qfzfnd0irhwxpk1b4hqb3kimj"))))
+                "197pnq8y0knqjhm2fg4j6hbqqm3qfzfnd0irhwxpk1b4hqb3kimj"))
+              (patches (search-patches "libgnome-encoding.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -1586,6 +1609,7 @@ creating interactive structured graphics.")
               (uri (string-append "mirror://gnome/sources/" name "/"
                                   (version-major+minor version)  "/"
                                   name "-" version ".tar.bz2"))
+              (patches (search-patches "libgnomeui-utf8.patch"))
               (sha256
                (base32
                 "03rwbli76crkjl6gp422wrc9lqpl174k56cp9i96b7l8jlj2yddf"))))
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 2f9e3311f1..16685f6986 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -91,16 +91,15 @@ Daemon and possibly more in the future.")
 
 (define-public libgcrypt
   (package
-    (replacement libgcrypt/fixed)
     (name "libgcrypt")
-    (version "1.7.8")
+    (version "1.8.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "16f1rsv4y4w2pk1il2jbcqggsb6mrlfva5vayd205fp68zm7d0ll"))))
+               "1cvqd9jk5qshbh48yh3ixw4zyr4n5k50r3475rrh20xfn7w7aa3s"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
@@ -126,18 +125,6 @@ generation.")
     (properties '((ftp-server . "ftp.gnupg.org")
                   (ftp-directory . "/gcrypt/libgcrypt")))))
 
-(define libgcrypt/fixed
-  (package
-    (inherit libgcrypt)
-    (version "1.8.1")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
-                                 version ".tar.bz2"))
-             (sha256
-              (base32
-               "1cvqd9jk5qshbh48yh3ixw4zyr4n5k50r3475rrh20xfn7w7aa3s"))))))
-
 (define-public libassuan
   (package
     (name "libassuan")
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 92037326e0..a0819b809a 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -282,7 +282,7 @@ in the Mozilla clients.")
 (define-public nss
   (package
     (name "nss")
-    (version "3.34")
+    (version "3.34.1")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -293,7 +293,7 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1x9acn47iva9j42kxfamgvn99lrnqv47fgn3rz3j6c1ph50rai8d"))
+                "186x33wsk4mzjz7dzbn8p0py9a0nzkgzpfkdv4rlyy5gghv5vhd3"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
                                        "nss-increase-test-timeout.patch"))))
@@ -414,6 +414,7 @@ security standards.")
       (patches
        (list
         (search-patch "icecat-avoid-bundled-libraries.patch")
+        (search-patch "icecat-glibc-2.26.patch")
         (mozilla-patch "icecat-bug-546387.patch"         "d13e3fefb76e" "1b760r0bg2ydbl585wlmajljh1nlisrwxvjws5b28a3sgjy01i6k")
         (mozilla-patch "icecat-bug-1350152.patch"        "f822bda79c28" "1wf56169ca874shr6r7qx40s17h2gwj7ngmpyylrpmd1c6hipvsj")
         (mozilla-patch "icecat-bug-1388166.patch"        "fbb0bdb191d5" "1y8wpj38vw1dd6f375s9i0mrk9bd8z8gz5g70p4qynfllpkn072d")
diff --git a/gnu/packages/groff.scm b/gnu/packages/groff.scm
index 9b949f8ff3..5f1b8d0ed6 100644
--- a/gnu/packages/groff.scm
+++ b/gnu/packages/groff.scm
@@ -22,6 +22,7 @@
 (define-module (gnu packages groff)
   #:use-module (guix licenses)
   #:use-module (guix packages)
+  #:use-module (guix utils)
   #:use-module (guix download)
   #:use-module (guix git-download)
   #:use-module (guix build-system gnu)
@@ -57,7 +58,14 @@
                     ("perl" ,perl)
                     ("psutils" ,psutils)
                     ("texinfo" ,texinfo)))
-   (arguments '(#:parallel-build? #f))  ; parallel build fails
+   (arguments
+    `(#:parallel-build? #f   ; parallel build fails
+      #:phases
+      (modify-phases %standard-phases
+        (add-after 'unpack 'setenv
+          (lambda _
+            (setenv "GS_GENERATE_UUIDS" "0")
+            #t)))))
    (synopsis "Typesetting from plain text mixed with formatting commands")
    (description
     "Groff is a typesetting package that reads plain text and produces
@@ -85,32 +93,32 @@ is usually the formatter of \"man\" documentation pages.")
 
        #:configure-flags '("--docdir=/tmp/trash/doc")
 
-       #:phases (modify-phases %standard-phases
-                  (add-after 'install 'remove-non-essential-programs
-                    (lambda* (#:key outputs #:allow-other-keys)
-                      ;; Keep only the programs that man-db needs at run time,
-                      ;; and make sure we don't pull in Perl.
-                      (let ((out  (assoc-ref outputs "out"))
-                            (kept '("eqn" "neqn" "pic" "tbl" "refer"
-                                    "nroff" "groff" "troff" "grotty")))
-                        (for-each (lambda (file)
-                                    (unless (member (basename file) kept)
-                                      (delete-file file)))
-                                  (find-files (string-append out "/bin")))
+       ,@(substitute-keyword-arguments (package-arguments groff)
+           ((#:phases phases)
+            `(modify-phases ,phases
+               (add-after 'install 'remove-non-essential-programs
+                 (lambda* (#:key outputs #:allow-other-keys)
+                   ;; Keep only the programs that man-db needs at run time,
+                   ;; and make sure we don't pull in Perl.
+                   (let ((out  (assoc-ref outputs "out"))
+                         (kept '("eqn" "neqn" "pic" "tbl" "refer"
+                                 "nroff" "groff" "troff" "grotty")))
+                     (for-each (lambda (file)
+                                 (unless (member (basename file) kept)
+                                   (delete-file file)))
+                               (find-files (string-append out "/bin")))
 
-                        ;; Remove a bunch of unneeded Perl scripts.
-                        (for-each delete-file (find-files out "\\.pl$"))
-                        (for-each delete-file
-                                  (find-files out "BuildFoundries"))
+                     ;; Remove a bunch of unneeded Perl scripts.
+                     (for-each delete-file (find-files out "\\.pl$"))
+                     (for-each delete-file
+                               (find-files out "BuildFoundries"))
 
-                        ;; Remove ~3 MiB from share/groff/X.Y/font/devBACKEND
-                        ;; corresponding to the unused backends.
-                        (for-each delete-file-recursively
-                                  (find-files out "^dev(dvi|ps|pdf|html|lj4)$"
-                                              #:directories? #t))
-                        #t))))
-
-       ,@(package-arguments groff)))))
+                     ;; Remove ~3 MiB from share/groff/X.Y/font/devBACKEND
+                     ;; corresponding to the unused backends.
+                     (for-each delete-file-recursively
+                               (find-files out "^dev(dvi|ps|pdf|html|lj4)$"
+                                           #:directories? #t))
+                     #t))))))))))
 
 ;; There are no releases, so we take the latest commit.
 (define-public roffit
diff --git a/gnu/packages/gsasl.scm b/gnu/packages/gsasl.scm
index 727d0f0d52..3146f408c3 100644
--- a/gnu/packages/gsasl.scm
+++ b/gnu/packages/gsasl.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -81,7 +82,17 @@ the underlying security implementation.")
             (uri (string-append "mirror://gnu/gsasl/gsasl-" version
                                 ".tar.gz"))
             (sha256 (base32
-                     "1rci64cxvcfr8xcjpqc4inpfq7aw4snnsbf5xz7d30nhvv8n40ii"))))
+                     "1rci64cxvcfr8xcjpqc4inpfq7aw4snnsbf5xz7d30nhvv8n40ii"))
+            (modules '((guix build utils)))
+            (snippet
+             '(begin
+                ;; The gnulib test-lock test is prone to writer starvation
+                ;; with our glibc@2.25, which prefers readers, so disable it.
+                ;; The gnulib commit b20e8afb0b2 should fix this once
+                ;; incorporated here.
+                (substitute* "tests/Makefile.in"
+                  (("test-lock\\$\\(EXEEXT\\) ") ""))
+                #t))))
    (build-system gnu-build-system)
    (inputs `(("libidn" ,libidn)
              ("libntlm" ,libntlm)
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index c66a3e5a17..e344a74308 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -8,8 +8,8 @@
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
 ;;; Copyright © 2015 David Hashe <david.hashe@dhashe.com>
-;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Coypright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Fabian Harfert <fhmgufs@web.de>
 ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Patrick Hetu <patrick.hetu@auf.org>
@@ -75,7 +75,7 @@
 (define-public atk
   (package
    (name "atk")
-   (version "2.24.0")
+   (version "2.26.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -83,7 +83,7 @@
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0jbs90vacl95mwgvmqsizi1bwx5sw0rz70r9knksfwwch2dalbdv"))))
+              "1jwpx8az0iifw176dc2hl4mmg6gvxzxdkd1qvg4ds7c5hdmzy07g"))))
    (build-system gnu-build-system)
    (outputs '("out" "doc"))
    (arguments
@@ -173,7 +173,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.5.1")
+   (version "1.7.3")
    (source (origin
              (method url-fetch)
              (uri (string-append "https://www.freedesktop.org/software/"
@@ -181,7 +181,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0lbwzif7ndvx1iqzp7wxv6j3ilal6di2vj33cy3bha97mpyqv0sn"))))
+               "1zh5n3q3mb6y6kr5m7zz1ags9z1vjwai57d6warx8qhzfrwn8lyd"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
@@ -211,7 +211,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public pango
   (package
    (name "pango")
-   (version "1.40.12")
+   (version "1.40.14")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/pango/"
@@ -219,7 +219,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1z0w2vrx3qh3aryfkbfijkcxxr3yjbxc2l4b0yy8rcp2wjlakwbm"))))
+              "1qqpd8x1pl483ynj3mc5q4n8y2pxqhg2bv19vd94r7mzlzm1pbwh"))))
    (build-system gnu-build-system)
    (propagated-inputs
     `(("cairo" ,cairo)
@@ -430,7 +430,7 @@ highlighting and other features typical of a source code editor.")
 (define-public gdk-pixbuf
   (package
    (name "gdk-pixbuf")
-   (version "2.36.10")
+   (version "2.36.11")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -438,7 +438,7 @@ highlighting and other features typical of a source code editor.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1klsjkdbashd8yb8xjsc9ff3bz32n2id5s79nrrmqiw9df4zmxpq"))))
+              "1wz2vpciwdpdv612s8kbww08q80hgcs5dxrfsxp1a4q44n3snqmf"))))
    (build-system gnu-build-system)
    (arguments
     '(#:configure-flags '("--with-x11")
@@ -511,7 +511,7 @@ in the GNOME project.")
 (define-public at-spi2-core
   (package
    (name "at-spi2-core")
-   (version "2.24.1")
+   (version "2.26.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -519,7 +519,7 @@ in the GNOME project.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0nwvjmd30rgq6d1zznavx0bdfa1xwv3jl8wnkbkwzaipp5jd140y"))))
+              "0596ghkamkxgv08r4a1pdhm06qd5zzgcfqsv64038w9xbvghq3n8"))))
    (build-system gnu-build-system)
    (outputs '("out" "doc"))
    (arguments
@@ -556,7 +556,7 @@ is part of the GNOME accessibility project.")
 (define-public at-spi2-atk
   (package
    (name "at-spi2-atk")
-   (version "2.24.1")
+   (version "2.26.1")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -564,7 +564,7 @@ is part of the GNOME accessibility project.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "0zcmsq7g4jg5dpmfzkyfpa0v6hx4119c4qwkdblzzf3l9yn91p30"))))
+              "0x9vc99ni46fg5dzlx67vbw0zqffr24gz8jvbdxbmzyvc5xw5w5l"))))
    (build-system gnu-build-system)
    (arguments
     '(#:phases
@@ -602,7 +602,8 @@ is part of the GNOME accessibility project.")
               "0n26jm09n03nqbd00d2ij63xrby3vik56sk5yj6w1vy768kr5hb8"))
             (patches (search-patches "gtk2-respect-GUIX_GTK2_PATH.patch"
                                      "gtk2-respect-GUIX_GTK2_IM_MODULE_FILE.patch"
-                                     "gtk2-theme-paths.patch"))))
+                                     "gtk2-theme-paths.patch"
+                                     "gtk2-fix-failing-test.patch"))))
    (build-system gnu-build-system)
    (outputs '("out" "doc"))
    (propagated-inputs
@@ -656,7 +657,7 @@ application suites.")
    (name "gtk+")
    ;; NOTE: When updating the version of 'gtk+', the hash of 'mate-themes' in
    ;;       mate.scm will also need to be updated.
-   (version "3.22.21")
+   (version "3.22.26")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -664,7 +665,7 @@ application suites.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "11vb1shgr4rlayfk0b858gz986jsn2mpjlxvr89b2kgvbjlc3lqv"))
+              "0rxrsh6bcp13hihxxs8f0m9xwniby4lmfi7y5mp9fhg5439z1vk1"))
             (patches (search-patches "gtk3-respect-GUIX_GTK3_PATH.patch"
                                      "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))))
    (outputs '("out" "bin" "doc"))
@@ -712,7 +713,9 @@ application suites.")
                               ;; by gnome-control-center
                               "--enable-wayland-backend"
                               ;; This is necessary to build both backends.
-                              "--enable-x11-backend")
+                              "--enable-x11-backend"
+                              ;; This enables the HTML5 websocket backend.
+                              "--enable-broadway-backend")
       #:phases (modify-phases %standard-phases
         (add-before 'configure 'pre-configure
           (lambda _
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index a778bbf458..17862dc7da 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -154,7 +154,6 @@ without requiring the source code to be rewritten.")
    (build-system gnu-build-system)
    (native-inputs `(("pkgconfig" ,pkg-config)))
    (inputs `(("libffi" ,libffi)
-             ("readline" ,readline)
              ,@(libiconv-if-needed)
 
              ;; We need Bash when cross-compiling because some of the scripts
@@ -222,7 +221,7 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.2
   (package (inherit guile-2.0)
     (name "guile")
-    (version "2.2.2")                      ;TODO: Update to 2.2.3 (see below).
+    (version "2.2.3")
     (source (origin
               (method url-fetch)
 
@@ -232,7 +231,7 @@ without requiring the source code to be rewritten.")
                                   ".tar.xz"))
               (sha256
                (base32
-                "1azm25zcmxif0skxfrp11d2wc89nrzpjaann9yxdw6pvjxhs948w"))
+                "11j01agvnci2cx32wwpqs9078856yxmvs15gcsz7ganpkj2ahlw3"))
               (modules '((guix build utils)))
 
               ;; Remove the pre-built object files.  Instead, build everything
@@ -250,22 +249,24 @@ without requiring the source code to be rewritten.")
            (search-path-specification
             (variable "GUILE_LOAD_COMPILED_PATH")
             (files '("lib/guile/2.2/site-ccache"
-                     "share/guile/site/2.2")))))))
+                     "share/guile/site/2.2")))))
 
-(define-public guile-2.2.3
-  ;; TODO: Make it the new 'guile-2.2' on the next rebuild cycle.
-  (package
-    (inherit guile-2.2)
-    (version "2.2.3")
-    (source (origin (inherit (package-source guile-2.2))
-                    (uri (list (string-append "mirror://gnu/guile/guile-"
-                                              version ".tar.xz")
-                               (string-append
-                                "https://wingolog.org/priv/guile-"
-                                version ".tar.xz")))
-                    (sha256
-                     (base32
-                      "11j01agvnci2cx32wwpqs9078856yxmvs15gcsz7ganpkj2ahlw3"))))))
+    (arguments
+     (if (%current-target-system)
+         (substitute-keyword-arguments (package-arguments guile-2.0)
+           ((#:phases phases '%standard-phases)
+            `(modify-phases ,phases
+               (add-after 'unpack 'sacrifice-elisp-support
+                 (lambda _
+                   ;; Cross-compiling language/elisp/boot.el fails, so
+                   ;; sacrifice it.  See
+                   ;; <https://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.2&id=988aa29238fca862c7e2cb55f15762a69b4c16ce>
+                   ;; for the upstream fix.
+                   (substitute* "module/Makefile.in"
+                     (("language/elisp/boot\\.el")
+                      "\n"))
+                   #t)))))
+         (package-arguments guile-2.0)))))
 
 (define-public guile-2.2/fixed
   ;; A package of Guile 2.2 that's rarely changed.  It is the one used
@@ -281,6 +282,65 @@ without requiring the source code to be rewritten.")
 (define-public guile-next
   (deprecated-package "guile-next" guile-2.2))
 
+(define (make-guile-readline guile)
+  (package
+    (name "guile-readline")
+    (version (package-version guile))
+    (source (package-source guile))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags '("--disable-silent-rules")
+       #:phases (modify-phases %standard-phases
+                  (add-before 'build 'chdir
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (invoke "make" "-C" "libguile" "scmconfig.h")
+                      (invoke "make" "-C" "lib")
+                      (chdir "guile-readline")
+
+                      (substitute* "Makefile"
+                        (("../libguile/libguile-[[:graph:]]+\\.la")
+                         ;; Remove dependency on libguile-X.Y.la.
+                         "")
+                        (("^READLINE_LIBS = (.*)$" _ libs)
+                         ;; Link against the provided libguile.
+                         (string-append "READLINE_LIBS = "
+                                        "-lguile-$(GUILE_EFFECTIVE_VERSION) "
+                                        libs "\n"))
+                        (("\\$\\(top_builddir\\)/meta/build-env")
+                         ;; Use the provided Guile, not the one from
+                         ;; $(builddir).
+                         "")
+
+                        ;; Install modules to the 'site' directories.
+                        (("^moddir = .*$")
+                         "moddir = $(pkgdatadir)/site/$(GUILE_EFFECTIVE_VERSION)\n")
+                        (("^ccachedir = .*$")
+                         "ccachedir = $(pkglibdir)/$(GUILE_EFFECTIVE_VERSION)/site-ccache\n"))
+
+                      ;; Load 'guile-readline.so' from the right place.
+                      (substitute* "ice-9/readline.scm"
+                        (("load-extension \"guile-readline\"")
+                         (format #f "load-extension \
+ (string-append ~s \"/lib/guile/\" (effective-version) \"/extensions/guile-readline\")"
+                                 (assoc-ref outputs "out"))))
+                      #t)))))
+    (home-page (package-home-page guile))
+    (native-inputs (package-native-inputs guile))
+    (inputs
+     `(,@(package-inputs guile)                   ;to placate 'configure'
+       ,@(package-propagated-inputs guile)
+       ("guile" ,guile)
+       ("readline" ,readline)))
+    (synopsis "Line editing support for GNU Guile")
+    (description
+     "This module provides line editing support via the Readline library for
+GNU@tie{}Guile.  Use the @code{(ice-9 readline)} module and call its
+@code{activate-readline} procedure to enable it.")
+    (license license:gpl3+)))
+
+(define-public guile-readline
+  (make-guile-readline guile-2.2))
+
 (define (guile-variant-package-name prefix)
   (lambda (name)
     "Return NAME with PREFIX instead of \"guile-\", when applicable."
diff --git a/gnu/packages/haskell.scm b/gnu/packages/haskell.scm
index 21858e481c..4f51af24c5 100644
--- a/gnu/packages/haskell.scm
+++ b/gnu/packages/haskell.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015 Siniša Biđin <sinisa@bidin.eu>
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
@@ -280,9 +280,12 @@ top of CLISP.")
                   (mkdir-p libtinfo-dir)
                   (symlink
                    (string-append ncurses-lib "/libncursesw.so."
-                                  ,(version-major+minor
-                                    (package-version ncurses)))
+                                  ;; Extract "6.0" from "6.0-20170930".
+                                  ,(let* ((v (package-version ncurses))
+                                          (d (string-index v #\-)))
+                                     (version-major+minor (string-take v d))))
                    (string-append libtinfo-dir "/libtinfo.so.5"))
+
                   (setenv "PATH"
                           (string-append (getenv "PATH") ":"
                                          ghc-bootstrap-prefix "/bin"))
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 55bc9f2035..57e8fffb35 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;;
@@ -32,8 +32,7 @@
 (define-public icu4c
   (package
    (name "icu4c")
-   (replacement icu4c-fixed)
-   (version "58.2")
+   (version "60.2")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -42,11 +41,8 @@
                   "/icu4c-"
                   (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version)
                   "-src.tgz"))
-            (patches
-             (search-patches "icu4c-CVE-2017-7867-CVE-2017-7868.patch"
-                             "icu4c-reset-keyword-list-iterator.patch"))
             (sha256
-             (base32 "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib"))))
+             (base32 "065l3n0q9wqaw8dz20x82srshhm6i987fr9ync5xf9mr6n7ylwzh"))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
@@ -71,15 +67,6 @@ C/C++ part.")
    (license x11)
    (home-page "http://site.icu-project.org/")))
 
-(define icu4c-fixed
-  (package
-    (inherit icu4c)
-    (source (origin
-              (inherit (package-source icu4c))
-              (patches (append
-                         (origin-patches (package-source icu4c))
-                         (search-patches "icu4c-CVE-2017-14952.patch")))))))
-
 (define-public java-icu4j
   (package
     (name "java-icu4j")
diff --git a/gnu/packages/image-processing.scm b/gnu/packages/image-processing.scm
index c2f7025249..6705a726cf 100644
--- a/gnu/packages/image-processing.scm
+++ b/gnu/packages/image-processing.scm
@@ -99,8 +99,6 @@ licences similar to the Modified BSD licence."))))
     (arguments
      `(#:configure-flags
        (list "-DMIA_CREATE_NIPYPE_INTERFACES=0"
-             (string-append "-DCMAKE_INSTALL_LIBDIR="
-                            (assoc-ref %outputs "out") "/lib")
              "-DCMAKE_CXX_FLAGS=-fpermissive")))
     (inputs
      `(("boost" ,boost)
diff --git a/gnu/packages/image-viewers.scm b/gnu/packages/image-viewers.scm
index f07b30805e..be7a1e9ba3 100644
--- a/gnu/packages/image-viewers.scm
+++ b/gnu/packages/image-viewers.scm
@@ -85,11 +85,7 @@
     (native-search-paths
      ;; Feh allows overriding the libcurl builtin CA path (unset in Guix)
      ;; with the same variable as the `curl` command line HTTP tool.
-     (list (search-path-specification
-            (variable "CURL_CA_BUNDLE")
-            (file-type 'regular)
-            (separator #f)                         ;single entry
-            (files '("etc/ssl/certs/ca-certificates.crt")))))
+     (package-native-search-paths curl))
     (synopsis "Fast and light imlib2-based image viewer")
     (description
       "feh is an X11 image viewer aimed mostly at console users.
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 548c1df44d..9358b5a52c 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -73,7 +73,7 @@
 (define-public libpng
   (package
    (name "libpng")
-   (version "1.6.29")
+   (version "1.6.34")
    (source (origin
             (method url-fetch)
             (uri (list (string-append "mirror://sourceforge/libpng/libpng16/"
@@ -86,7 +86,7 @@
                         "/libpng16/libpng-" version ".tar.xz")))
             (sha256
              (base32
-              "0fgjqp7x6jynacmqh6dj72cn6nnf6yxjfqqqfsxrx0pyx22bcia2"))))
+              "1xjr0v34fyjgnhvaa1zixcpx5yvxcg4zwvfh0fyklfyfj86rc7ig"))))
    (build-system gnu-build-system)
 
    ;; libpng.la says "-lz", so propagate it.
@@ -390,21 +390,15 @@ extracting icontainer icon files.")
 (define-public libtiff
   (package
    (name "libtiff")
-   (version "4.0.8")
+   (version "4.0.9")
    (source
      (origin
        (method url-fetch)
-       (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
+       (uri (string-append "http://download.osgeo.org/libtiff/tiff-"
                            version ".tar.gz"))
-       (patches
-         (search-patches "libtiff-tiffgetfield-bugs.patch"
-                         "libtiff-CVE-2016-10688.patch"
-                         "libtiff-CVE-2017-9936.patch"
-                         "libtiff-tiffycbcrtorgb-integer-overflow.patch"
-                         "libtiff-tiffycbcrtorgbinit-integer-overflow.patch"))
        (sha256
         (base32
-         "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr"))))
+         "1kfg4q01r4mqn7dj63ifhi6pmqzbf4xax6ni6kkk81ri5kndwyvf"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                           ;1.3 MiB of HTML documentation
@@ -483,20 +477,15 @@ arithmetic ops.")
 (define-public jbig2dec
   (package
     (name "jbig2dec")
-    (version "0.13")
+    (version "0.14")
     (source
       (origin
         (method url-fetch)
         (uri (string-append "http://downloads.ghostscript.com/public/" name "/"
                             name "-" version ".tar.gz"))
         (sha256
-          (base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s"))
-        (patches (search-patches "jbig2dec-ignore-testtest.patch"
-                                 "jbig2dec-CVE-2016-9601.patch"
-                                 "jbig2dec-CVE-2017-7885.patch"
-                                 "jbig2dec-CVE-2017-7975.patch"
-                                 "jbig2dec-CVE-2017-7976.patch"))))
-
+          (base32 "0k01hp0q4275fj4rbr1gy64svfraw5w7wvwl08yjhvsnpb1rid11"))
+        (patches (search-patches "jbig2dec-ignore-testtest.patch"))))
     (build-system gnu-build-system)
     (synopsis "Decoder of the JBIG2 image compression format")
     (description
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index e2a0f75f76..2724f0f20a 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -7,6 +7,8 @@
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2016, 2017, 2018 Alex Vong <alexvong1995@gmail.com>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Gábor Boskovits <boskovits@gmail.com>
+;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -2018,25 +2020,20 @@ debugging, etc.")
 (define-public java-classpathx-servletapi
   (package
     (name "java-classpathx-servletapi")
-    (version "3.0")
+    (version "3.0.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/classpathx/servletapi/"
                                   "servletapi-" version ".tar.gz"))
               (sha256
                (base32
-                "0y9489pk4as9q6x300sk3ycc0psqfxcd4b0xvbmf3rhgli8q1kx3"))))
+                "07d8h051siga2f33fra72hk12sbq1bxa4jifjg0qj0vfazjjff0x"))))
     (build-system ant-build-system)
     (arguments
      `(#:tests? #f ; there is no test target
        #:build-target "compile"
-       ;; NOTE: This package does not build with Java 8 because of a type
-       ;; mismatch in
-       ;; "source/javax/servlet/jsp/el/ImplicitObjectELResolver.java".  It
-       ;; defines the return value of ScopeMap's "remove" method to be of type
-       ;; "Object", whereas Map's "remove" method returns boolean.
        #:make-flags
-       (list "-Dbuild.compiler=javac1.7"
+       (list "-Dbuild.compiler=javac1.8"
              (string-append "-Ddist=" (assoc-ref %outputs "out")))
        #:phases
        (modify-phases %standard-phases
@@ -2665,23 +2662,31 @@ archives (jar).")
 (define-public java-asm
   (package
     (name "java-asm")
-    (version "5.2")
+    (version "6.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://download.forge.ow2.org/asm/"
                                   "asm-" version ".tar.gz"))
               (sha256
                (base32
-                "0kxvmv5275rnjl7jv0442k3wjnq03ngkb7sghs78avf45pzm4qgr"))))
+                "115l5pqblirdkmzi32dxx7gbcm4jy0s14y5wircr6h8jdr9aix00"))))
     (build-system ant-build-system)
+    (propagated-inputs
+     `(("java-aqute-bndlib" ,java-aqute-bndlib)))
     (arguments
      `(#:build-target "compile"
        ;; The tests require an old version of Janino, which no longer compiles
        ;; with the JDK7.
        #:tests? #f
-       ;; We don't need these extra ant tasks, but the build system asks us to
-       ;; provide a path anyway.
-       #:make-flags (list (string-append "-Dobjectweb.ant.tasks.path=foo"))
+       #:make-flags
+       (list
+        ;; We don't need these extra ant tasks, but the build system asks us to
+        ;; provide a path anyway.
+        "-Dobjectweb.ant.tasks.path=dummy-path"
+        ;; The java-aqute.bndlib JAR file will be put onto the classpath and
+        ;; used during the build automatically by ant-build-system, but
+        ;; java-asm's build.xml fails unless we provide something here.
+        "-Dbiz.aQute.bnd.path=dummy-path")
        #:phases
        (modify-phases %standard-phases
          (add-before 'install 'build-jars
@@ -3272,6 +3277,7 @@ file filters and endian classes.")
     (outputs '("out" "doc"))
     (arguments
      `(#:test-target "test"
+       #:test-exclude (list "**/Abstract*.java" "**/Random*.java")
        #:phases
        (modify-phases %standard-phases
          (add-after 'build 'build-javadoc ant-build-javadoc)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 801b4e44a9..4ef604d02a 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -46,16 +46,19 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (replacement mit-krb5-1.15.2)
-    (version "1.15.1")
+    (version "1.16")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
-                                  (version-major+minor version)
-                                  "/krb5-" version ".tar.gz"))
+              (uri (list
+                    (string-append "https://web.mit.edu/kerberos/dist/krb5/"
+                                   (version-major+minor version)
+                                   "/krb5-" version ".tar.gz")
+                    (string-append "https://kerberos.org/dist/krb5/"
+                                   (version-major+minor version)
+                                   "/krb5-" version ".tar.gz")))
               (sha256
                (base32
-                "0igbi5d095c2hgpn2cixpc4q2ij8vgg2bx7yjfly5zfmvlqqhz23"))))
+                "024yjr15ij0qdnay0bcqfpclgfri0qa8iw4r5zdlryxhhdgi5szs"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
@@ -94,19 +97,6 @@ cryptography.")
     (home-page "http://web.mit.edu/kerberos/")
     (properties '((cpe-name . "kerberos")))))
 
-(define mit-krb5-1.15.2 ; CVE-2017-{11368,11462}
-  (package
-    (inherit mit-krb5)
-    (version "1.15.2")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
-                                  (version-major+minor version)
-                                  "/krb5-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0zn8s7anb10hw3nzwjz7vg10fgmmgvwnibn2zrn3nppjxn9f6f8n"))))))
-
 (define-public shishi
   (package
     (name "shishi")
diff --git a/gnu/packages/libevent.scm b/gnu/packages/libevent.scm
index b613bf1382..9d96e651ac 100644
--- a/gnu/packages/libevent.scm
+++ b/gnu/packages/libevent.scm
@@ -121,23 +121,22 @@ limited support for fork events.")
 (define-public libuv
   (package
     (name "libuv")
-    (version "1.14.1")
+    (version "1.18.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dist.libuv.org/dist/v" version
                                   "/libuv-v" version ".tar.gz"))
               (sha256
                (base32
-                "08kx4mzjsdv90n9pivqxqjxlxk5vaf9p33zzvx661dwfmp9468pk"))))
+                "125bzmzc32m52hd9iv8jvjlc7r3gadxgvp31a2fz2wlil16p7r2l"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (alist-cons-after
-                 'unpack 'autogen
-                 (lambda _
-                   ;; Fashionable people don't run 'make dist' these days, so
-                   ;; we need to do that ourselves.
-                   (zero? (system* "sh" "autogen.sh")))
-                 %standard-phases)
+     '(#:phases (modify-phases %standard-phases
+                  (add-after 'unpack 'autogen
+                    (lambda _
+                      ;; Fashionable people don't run 'make dist' these days, so
+                      ;; we need to do that ourselves.
+                      (zero? (system* "sh" "autogen.sh")))))
 
        ;; XXX: Some tests want /dev/tty, attempt to make connections, etc.
        #:tests? #f))
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index dfb1be6c4f..c2290b53af 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -38,7 +39,17 @@
                                 ".tar.gz"))
             (sha256
              (base32
-              "068fjg2arlppjqqpzd714n1lf6gxkpac9v5yyvp1qwmv6nvam9s4"))))
+              "068fjg2arlppjqqpzd714n1lf6gxkpac9v5yyvp1qwmv6nvam9s4"))
+            (modules '((guix build utils)))
+            (snippet
+             '(begin
+                ;; The gnulib test-lock test is prone to writer starvation
+                ;; with our glibc@2.25, which prefers readers, so disable it.
+                ;; The gnulib commit b20e8afb0b2 should fix this once
+                ;; incorporated here.
+                (substitute* "lib/gltests/Makefile.in"
+                  (("test-lock\\$\\(EXEEXT\\) ") ""))
+                #t))))
    (build-system gnu-build-system)
 ;; FIXME: No Java and C# libraries are currently built.
    (synopsis "Internationalized string processing library")
@@ -55,15 +66,14 @@ Java libraries.")
 (define-public libidn2
   (package
     (name "libidn2")
-    (version "2.0.2")
-    (replacement libidn2-2.0.4)
+    (version "2.0.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/libidn/" name "-" version
                                   ".tar.lz"))
               (sha256
                (base32
-                "0pqaj8d01aj4i110669fincqs10kgynyqcrmq2q7pss8v9dcd1jq"))))
+                "00f2fyw5kwr9is3cdn5h9arzxp0lnvg0z9bb9zyfs0dq81gaqim4"))))
     (native-inputs
      `(("lzip" ,lzip)))
     (inputs
@@ -75,19 +85,7 @@ the IDNA2008 specifications.   Libidn2 is believed to be a complete IDNA2008
 implementation, but has yet to be as extensively used as the original Libidn
 library.")
     (home-page "https://www.gnu.org/software/libidn/#libidn2")
+    (properties '((ftp-directory . "/gnu/libidn")))
     ;; The command-line tool 'idn2' is GPL3+, while the library is dual-licensed
     ;; GPL2+ or LGPL3+.
     (license (list gpl2+ gpl3+ lgpl3+))))
-
-(define-public libidn2-2.0.4
-  (package
-    (inherit libidn2)
-    (name "libidn2")
-    (version "2.0.4")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/libidn/" name "-" version
-                                  ".tar.lz"))
-              (sha256
-               (base32
-                "00f2fyw5kwr9is3cdn5h9arzxp0lnvg0z9bb9zyfs0dq81gaqim4"))))))
diff --git a/gnu/packages/libunistring.scm b/gnu/packages/libunistring.scm
index df02f68cea..1d421fb17d 100644
--- a/gnu/packages/libunistring.scm
+++ b/gnu/packages/libunistring.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2017 Eric Bavier <bavier@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,7 +32,7 @@
 (define-public libunistring
   (package
    (name "libunistring")
-   (version "0.9.7")
+   (version "0.9.8")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -39,11 +40,17 @@
                   version ".tar.xz"))
             (sha256
              (base32
-              "15z76qrmrvkc3c6hfq2lzzqysgd21s682f2smycfab5g598n8drf"))
-             ;; test-lock has performance issues on multi-core machines,
-             ;; it hangs or takes a long time to complete.
-             ;; This is a commit from gnulib to fix this issue.
-            (patches (search-patches "libunistring-gnulib-multi-core.patch"))))
+              "101gjj9q39pjlcaixylya6is5i7vlbnxr1w5w6raqvvhab7ki4vv"))
+            (modules '((guix build utils)))
+            (snippet
+             '(begin
+                ;; The gnulib test-lock test is prone to writer starvation
+                ;; with our glibc@2.25, which prefers readers, so disable it.
+                ;; The gnulib commit b20e8afb0b2 should fix this once
+                ;; incorporated here.
+                (substitute* "tests/Makefile.in"
+                  (("test-lock\\$\\(EXEEXT\\) ") ""))
+                #t))))
    (propagated-inputs (libiconv-if-needed))
    (build-system gnu-build-system)
    (arguments
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index aa36f05c75..12e81a6965 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -157,13 +157,13 @@ defconfig.  Return the appropriate make target if applicable, otherwise return
 (define-public linux-libre-headers
   (package
     (name "linux-libre-headers")
-    (version "4.4.47")
+    (version "4.9.59")
     (source (origin
              (method url-fetch)
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "00zdq7swhvzbbnnhzizq6m34q5k4fycpcp215bmkbxh1ic76v7bs"))))
+               "0z8hq8a6ic38xh33idzl0k0yi4isgd7ncl2g1d6mzf9ixw5krhvc"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -515,7 +515,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (version "2.30.1")
+    (version "2.31")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -523,7 +523,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0hdq2fz405a89fyha4bgwg0rx8b65inxq17w8fg8qhmcj4x3dr0v"))
+                "12nw108xjhm63sh2n5a0qs33vpvbvb6rln96l9j50p7wykf7rgpr"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -540,6 +540,8 @@ providing the system administrator with some help in common tasks.")
     (arguments
      `(#:configure-flags (list "--disable-use-tty-group"
                                "--enable-fs-paths-default=/run/current-system/profile/sbin"
+                               ;; Don't try to chown root:root mount and umount
+                               "--disable-makeinstall-chown"
                                ;; Install completions where our
                                ;; bash-completion package expects them.
                                (string-append "--with-bashcompletiondir="
@@ -1196,16 +1198,6 @@ primary network configuration tools, but ifconfig is known to behave
 inadequately in modern network environments, and both should be deprecated.")
     (license license:gpl2+)))
 
-;; There are two packages for net-tools. The first, net-tools, is more recent
-;; and probably safer to use with untrusted inputs (i.e. the internet).  The
-;; second, net-tools-for-tests, is relatively old and buggy. It can be used in
-;; package test suites and should never be referred to by a built package. Use
-;; #:disallowed-references to enforce this.
-;;
-;; When we are able to rebuild many packages (i.e. core-updates), we can update
-;; net-tools-for-tests if appropriate.
-;;
-;; See <https://bugs.gnu.org/27811> for more information.
 (define-public net-tools
   ;; XXX: This package is basically unmaintained, but it provides a few
   ;; commands not yet provided by Inetutils, such as 'route', so we have to
@@ -1281,108 +1273,6 @@ network hardware types (plipconfig, slattach) and advanced aspects of IP
 configuration (iptunnel, ipmaddr).")
       (license license:gpl2+))))
 
-(define-public net-tools-for-tests
-  (hidden-package (package (inherit net-tools)
-    (version "1.60")
-    ;; Git depends on net-tools-for-tests via GnuTLS, so we can't use git-fetch
-    ;; here.  We should find a better workaround for this problem so that we can
-    ;; use the latest upstream source.
-    (source (origin
-             (method url-fetch)
-             (uri (list (string-append
-                         "mirror://sourceforge/net-tools/net-tools-"
-                         version ".tar.bz2")
-                        (string-append
-                         "http://distro.ibiblio.org/rootlinux/rootlinux-ports"
-                         "/base/net-tools/net-tools-1.60.tar.bz2")))
-             (sha256
-              (base32
-               "0yvxrzk0mzmspr7sa34hm1anw6sif39gyn85w4c5ywfn8inxvr3s"))
-             (patches (search-patches "net-tools-bitrot.patch"))))
-    (build-system gnu-build-system)
-    (arguments
-     '(#:modules ((guix build gnu-build-system)
-                  (guix build utils)
-                  (srfi srfi-1)
-                  (srfi srfi-26))
-       #:phases (alist-cons-after
-                 'unpack 'patch
-                 (lambda* (#:key inputs #:allow-other-keys)
-                   (define (apply-patch file)
-                     (zero? (system* "patch" "-p1" "--force"
-                                     "--input" file)))
-
-                   (let ((patch.gz (assoc-ref inputs "patch")))
-                     (format #t "applying Debian patch set '~a'...~%"
-                             patch.gz)
-                     (system (string-append "gunzip < " patch.gz " > the-patch"))
-                     (and (apply-patch "the-patch")
-                          (for-each apply-patch
-                                    (find-files "debian/patches"
-                                                "\\.patch")))))
-                 (alist-replace
-                  'configure
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    (let ((out (assoc-ref outputs "out")))
-                      (mkdir-p (string-append out "/bin"))
-                      (mkdir-p (string-append out "/sbin"))
-
-                      ;; Pretend we have everything...
-                      (system "yes | make config")
-
-                      ;; ... except for the things we don't have.
-                      ;; HAVE_AFDECnet requires libdnet, which we don't have.
-                      ;; HAVE_HWSTRIP and HAVE_HWTR require kernel headers
-                      ;; that have been removed.
-                      (substitute* '("config.make" "config.h")
-                        (("^.*HAVE_(AFDECnet|HWSTRIP|HWTR)[ =]1.*$") ""))))
-                  (alist-cons-after
-                   'install 'remove-redundant-commands
-                   (lambda* (#:key outputs #:allow-other-keys)
-                     ;; Remove commands and man pages redundant with
-                     ;; Inetutils.
-                     (let* ((out (assoc-ref outputs "out"))
-                            (dup (append-map (cut find-files out <>)
-                                             '("^hostname"
-                                               "^(yp|nis|dns)?domainname"))))
-                       (for-each delete-file dup)
-                       #t))
-                   %standard-phases)))
-
-       ;; Binaries that depend on libnet-tools.a don't declare that
-       ;; dependency, making it parallel-unsafe.
-       #:parallel-build? #f
-
-       #:tests? #f                                ; no test suite
-       #:make-flags (let ((out (assoc-ref %outputs "out")))
-                      (list "CC=gcc"
-                            (string-append "BASEDIR=" out)
-                            (string-append "INSTALLNLSDIR=" out "/share/locale")
-                            (string-append "mandir=/share/man")))))
-
-    ;; We added unzip to the net-tools package's native-inputs when
-    ;; switching its source from a Git checkout to a zip archive.  We
-    ;; need to specify the native-inputs here to keep unzip out of the
-    ;; build of net-tools-for-tests, so that we don't have to rebuild
-    ;; many packages on the master branch.  We can make
-    ;; net-tools-for-tests inherit directly from net-tools in the next
-    ;; core-updates cycle.
-    (native-inputs `(("gettext" ,gettext-minimal)))
-
-    ;; Use the big Debian patch set (the thing does not even compile out of
-    ;; the box.)
-    ;; XXX The patch is not actually applied, due to a bug in the 'patch' phase
-    ;; above. However, this package variant is only used in GnuTLS's tests. It
-    ;; will be adjusted when convenient for the build farm.
-    ;; See <https://bugs.gnu.org/27811> for more information.
-    (inputs `(("patch" ,(origin
-                         (method url-fetch)
-                         (uri
-                          "http://ftp.de.debian.org/debian/pool/main/n/net-tools/net-tools_1.60-24.2.diff.gz")
-                         (sha256
-                          (base32
-                           "0p93lsqx23v5fv4hpbrydmfvw1ha2rgqpn2zqbs2jhxkzhjc030p")))))))))
-
 (define-public libcap
   (package
     (name "libcap")
@@ -1740,15 +1630,12 @@ user-space processes.")
                 "0hsn8l1iblvx27bpd4dvnvnbh9ri3sv2f9xzpsnfz3379kb7skgj"))))
     (build-system cmake-build-system)
     (native-inputs
-     `(("python" ,python)
-       ("python-pytest" ,python-pytest)))
+     `(("python" ,python)))
     (inputs `(("fuse" ,fuse)))
     (arguments
-     '(#:phases
-       (modify-phases %standard-phases
-         (replace 'check
-           ;; Borrowed from the Makefile
-           (lambda _ (zero? (system* "python3" "-m" "pytest")))))))
+     ;; The tests were never actually run ("collected 0 items"), but in recent
+     ;; versions of pytest that causes an error.
+     '(#:tests? #f))
     (home-page "https://github.com/rpodgorny/unionfs-fuse")
     (synopsis "User-space union file system")
     (description
@@ -2059,30 +1946,50 @@ from the module-init-tools project.")
   ;; The post-systemd fork, maintained by Gentoo.
   (package
     (name "eudev")
-    (version "3.2.2")
+    (version "3.2.4")
     (source (origin
               (method url-fetch)
-              (uri (string-append
-                    "http://dev.gentoo.org/~blueness/eudev/eudev-"
-                    version ".tar.gz"))
+              (uri (string-append "https://github.com/gentoo/eudev/archive/v"
+                                  version ".zip"))
+              (file-name (string-append name "-" version ".zip"))
               (sha256
                (base32
-                "0qqgbgpm5wdllk0s04pf80nwc8pr93xazwri1bylm1f15zn5ck1y"))
+                "1r1ag0snarygrj5qqxi2xdq9w6g3sfjd5jx1b0fl7zmqlsz3vvxx"))
               (patches (search-patches "eudev-rules-directory.patch"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (modify-phases %standard-phases
-                  (add-after 'install 'build-hwdb
-                    (lambda* (#:key outputs #:allow-other-keys)
-                      ;; Build OUT/etc/udev/hwdb.bin.  This allows 'lsusb' and
-                      ;; similar tools to display product names.
-                      (let ((out (assoc-ref outputs "out")))
-                        (zero? (system* (string-append out "/bin/udevadm")
-                                        "hwdb" "--update"))))))))
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'bootstrap
+           (lambda* (#:key inputs #:allow-other-keys)
+            (substitute* "man/make.sh"
+              (("/usr/bin/xsltproc")
+                (string-append (assoc-ref inputs "xsltproc")
+                               "/bin/xsltproc")))
+            ;; Manual pages are regenerated here.
+            (zero? (system* "./autogen.sh"))))
+         (add-after 'install 'build-hwdb
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Build OUT/etc/udev/hwdb.bin.  This allows 'lsusb' and
+             ;; similar tools to display product names.
+             (let ((out (assoc-ref outputs "out")))
+               (zero? (system* (string-append out "/bin/udevadm")
+                               "hwdb" "--update"))))))
+       #:configure-flags (list "--enable-manpages")))
     (native-inputs
-     `(("pkg-config" ,pkg-config)
+     `(("autoconf" ,autoconf)
+       ("automake" ,automake)
+       ("gperf" ,gperf)
+       ("libtool" ,libtool)
+       ("pkg-config" ,pkg-config)
+       ;; For tests.
        ("perl" ,perl)
-       ("gperf" ,gperf)))
+       ("python" ,python-wrapper)
+       ;; For documentation.
+       ("docbook-xml" ,docbook-xml-4.2)
+       ("docbook-xsl" ,docbook-xsl)
+       ("libxml2" ,libxml2)             ;for $XML_CATALOG_FILES
+       ("xsltproc", libxslt)))
     (inputs
      ;; When linked against libblkid, eudev can populate /dev/disk/by-label
      ;; and similar; it also installs the '60-persistent-storage.rules' file,
@@ -2656,7 +2563,9 @@ Translation (@dfn{SAT}) are also supported.")
 which is used to enable and disable wireless networking devices, typically
 WLAN, Bluetooth and mobile broadband.")
     (license (license:non-copyleft "file://COPYING"
-                                   "See COPYING in the distribution."))))
+                                   "See COPYING in the distribution."))
+    ;; rfkill is part of util-linux as of 2.31.
+    (properties `((superseded . ,util-linux)))))
 
 (define-public acpi
   (package
@@ -3079,16 +2988,14 @@ Bluetooth audio output devices like headphones or loudspeakers.")
                (string-append "--with-udevdir=" out "/lib/udev")))
        #:phases
        (modify-phases %standard-phases
-         ,@(if (string=? (%current-system) "armhf-linux")
-               ;; This test fails unpredictably.
-               ;; TODO: skip it for all architectures.
-               `((add-before 'check 'skip-wonky-test
-                  (lambda _
-                    (substitute* "unit/test-gatt.c"
-                      (("tester_init\\(&argc, &argv\\);") "return 77;"))
-                    #t)))
-               `())
-
+         ;; Test unit/test-gatt fails unpredictably. Seems to be a timing
+         ;; issue (discussion on upstream mailing list:
+         ;; https://marc.info/?t=149578476300002&r=1&w=2)
+         (add-before 'check 'skip-wonky-test
+            (lambda _
+              (substitute* "unit/test-gatt.c"
+                (("tester_init\\(&argc, &argv\\);") "return 77;"))
+              #t))
          (add-after 'install 'post-install
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (let* ((out        (assoc-ref outputs "out"))
@@ -3157,6 +3064,7 @@ write access to exFAT devices.")
               (uri (string-append
                     "http://www.nico.schottelius.org/software/gpm/archives/gpm-"
                     version ".tar.bz2"))
+              (patches (search-patches "gpm-glibc-2.26.patch"))
               (sha256
                (base32
                 "13d426a8h403ckpc8zyf7s2p5rql0lqbg2bv0454x0pvgbfbf4gh"))))
@@ -3460,9 +3368,6 @@ The package provides additional NTFS tools.")
        ;; to do the same for consistency. They also recommend using the
        ;; "Release" build type.
        #:configure-flags (list "-GNinja"
-                               ;; Defaults to "lib64" on 64-bit archs.
-                               (string-append "-DCMAKE_INSTALL_LIBDIR="
-                                              (assoc-ref %outputs "out") "/lib")
                                "-DCMAKE_BUILD_TYPE=Release")
        #:phases
        (modify-phases %standard-phases
diff --git a/gnu/packages/lisp.scm b/gnu/packages/lisp.scm
index 8427a19714..b38efac820 100644
--- a/gnu/packages/lisp.scm
+++ b/gnu/packages/lisp.scm
@@ -6,7 +6,7 @@
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
 ;;; Copyright © 2016, 2017 Andy Patterson <ajpatter@uwaterloo.ca>
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017, 2018 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -262,17 +262,15 @@ supporting ASDF, Sockets, Gray streams, MOP, and other useful components.")
        (file-name (string-append name "-" version "-checkout"))
        (sha256
         (base32 "0qjv3z274rbdmb941hy03hl63f4z7bmci234f8dyz4skgfr82d3i"))
-       (patches (search-patches "clisp-remove-failing-test.patch"))))
+       (patches (search-patches "clisp-glibc-2.26.patch"
+                                "clisp-remove-failing-test.patch"))))
     (build-system gnu-build-system)
     (inputs `(("libffcall" ,libffcall)
               ("ncurses" ,ncurses)
               ("readline" ,readline)
               ("libsigsegv" ,libsigsegv)))
     (arguments
-     '(;; XXX The custom configure script does not cope well when passed
-       ;; --build=<triplet>.
-       #:configure-flags '("CFLAGS=-falign-functions=4"
-                           "--enable-portability"
+     '(#:configure-flags '("--enable-portability"
                            "--with-dynamic-ffi"
                            "--with-dynamic-modules"
                            "--with-module=bindings/glibc"
diff --git a/gnu/packages/llvm.scm b/gnu/packages/llvm.scm
index b13a33ff1f..2dddbc4361 100644
--- a/gnu/packages/llvm.scm
+++ b/gnu/packages/llvm.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Dennis Mungai <dmngaie@gmail.com>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
@@ -98,7 +98,8 @@ of programming tools as well as libraries with equivalent functionality.")
                    "-DLLVM_REQUIRES_RTTI=1")
                  ,flags))))))
 
-(define (clang-runtime-from-llvm llvm hash)
+(define* (clang-runtime-from-llvm llvm hash
+                                  #:optional (patches '()))
   (package
     (name "clang-runtime")
     (version (package-version llvm))
@@ -107,7 +108,8 @@ of programming tools as well as libraries with equivalent functionality.")
        (method url-fetch)
        (uri (string-append "http://llvm.org/releases/"
                            version "/compiler-rt-" version ".src.tar.xz"))
-       (sha256 (base32 hash))))
+       (sha256 (base32 hash))
+       (patches (map search-patch patches))))
     (build-system cmake-build-system)
     (native-inputs (package-native-inputs llvm))
     (inputs
@@ -212,7 +214,8 @@ code analysis tools.")
 (define-public clang-runtime
   (clang-runtime-from-llvm
    llvm
-   "0p0y85c7izndbpg2l816z7z7558axq11d5pwkm4h11sdw7d13w0d"))
+   "0p0y85c7izndbpg2l816z7z7558axq11d5pwkm4h11sdw7d13w0d"
+   '("clang-runtime-asan-build-fixes.patch")))
 
 (define-public clang
   (clang-from-llvm llvm clang-runtime
@@ -235,7 +238,9 @@ code analysis tools.")
 (define-public clang-runtime-3.9.1
   (clang-runtime-from-llvm
    llvm-3.9.1
-   "16gc2gdmp5c800qvydrdhsp0bzb97s8wrakl6i8a4lgslnqnf2fk"))
+   "16gc2gdmp5c800qvydrdhsp0bzb97s8wrakl6i8a4lgslnqnf2fk"
+   '("clang-runtime-asan-build-fixes.patch"
+     "clang-runtime-esan-build-fixes.patch")))
 
 (define-public clang-3.9.1
   (clang-from-llvm llvm-3.9.1 clang-runtime-3.9.1
@@ -257,7 +262,8 @@ code analysis tools.")
 (define-public clang-runtime-3.7
   (clang-runtime-from-llvm
    llvm-3.7
-   "10c1mz2q4bdq9bqfgr3dirc6hz1h3sq8573srd5q5lr7m7j6jiwx"))
+   "10c1mz2q4bdq9bqfgr3dirc6hz1h3sq8573srd5q5lr7m7j6jiwx"
+   '("clang-runtime-asan-build-fixes.patch")))
 
 (define-public clang-3.7
   (clang-from-llvm llvm-3.7 clang-runtime-3.7
@@ -278,7 +284,8 @@ code analysis tools.")
 (define-public clang-runtime-3.6
   (clang-runtime-from-llvm
    llvm-3.6
-   "11qx8d3pbfqjaj2x207pvlvzihbs1z2xbw4crpz7aid6h1yz6bqg"))
+   "11qx8d3pbfqjaj2x207pvlvzihbs1z2xbw4crpz7aid6h1yz6bqg"
+   '("clang-runtime-asan-build-fixes.patch")))
 
 (define-public clang-3.6
   (clang-from-llvm llvm-3.6 clang-runtime-3.6
@@ -301,7 +308,8 @@ code analysis tools.")
 (define-public clang-runtime-3.5
   (clang-runtime-from-llvm
    llvm-3.5
-   "1hsdnzzdr5kglz6fnv3lcsjs222zjsy14y8ax9dy6zqysanplbal"))
+   "1hsdnzzdr5kglz6fnv3lcsjs222zjsy14y8ax9dy6zqysanplbal"
+   '("clang-runtime-asan-build-fixes.patch")))
 
 (define-public clang-3.5
   (clang-from-llvm llvm-3.5 clang-runtime-3.5
diff --git a/gnu/packages/lua.scm b/gnu/packages/lua.scm
index b375ff90c3..e6453fa360 100644
--- a/gnu/packages/lua.scm
+++ b/gnu/packages/lua.scm
@@ -290,7 +290,7 @@ secure session between the peers.")
 (define-public lua-lgi
   (package
     (name "lua-lgi")
-    (version "0.9.1")
+    (version "0.9.2")
     (source
       (origin
         (method url-fetch)
@@ -300,7 +300,7 @@ secure session between the peers.")
         (file-name (string-append name "-" version ".tar.gz"))
         (sha256
           (base32
-            "1fmgdl5y4ph3yc6ycg865s3vai1rjkyda61cgqxk6zd13hmznw0c"))))
+            "0kwcaj3ahi9gxfyp0lr5zgr6vi1mgsg9sz0980x0nwxlh9a11i6g"))))
     (build-system gnu-build-system)
     (arguments
      '(#:make-flags (list "CC=gcc"
@@ -351,7 +351,8 @@ secure session between the peers.")
        ("libffi" ,libffi)
        ("xorg-server", xorg-server)))
     (native-inputs
-     `(("pkg-config" ,pkg-config)))
+     `(("pkg-config" ,pkg-config)
+       ("dbus" ,dbus)))                          ;tests use 'dbus-run-session'
     (home-page "https://github.com/pavouk/lgi/")
     (synopsis "Lua bridge to GObject based libraries")
     (description
diff --git a/gnu/packages/machine-learning.scm b/gnu/packages/machine-learning.scm
index bd13cedcb3..e45c1ae3d3 100644
--- a/gnu/packages/machine-learning.scm
+++ b/gnu/packages/machine-learning.scm
@@ -541,11 +541,7 @@ and a QP solver.")
                   #t))))
     (build-system cmake-build-system)
     (arguments
-     ;; Recent releases defaults to "lib64" on 64bit.
-     `(#:configure-flags (list (string-append "-DCMAKE_INSTALL_LIBDIR="
-                                              (assoc-ref %outputs "out")
-                                              "/lib"))
-       #:phases
+     `(#:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'disable-asserts
            (lambda _
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index 492ccb8114..07ac93686a 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -104,10 +104,12 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
             ("cross-binutils" ,(cross-binutils target))
             ,@(%final-inputs)))
         `(("libc" ,(glibc-for-bootstrap))
+          ("libc:static" ,(glibc-for-bootstrap) "static")
           ("gcc" ,(package (inherit gcc)
                     (outputs '("out")) ; all in one so libgcc_s is easily found
                     (inputs
                      `(("libc",(glibc-for-bootstrap))
+                       ("libc:static" ,(glibc-for-bootstrap) "static")
                        ,@(package-inputs gcc)))))
           ,@(fold alist-delete (%final-inputs) '("libc" "gcc")))))
 
@@ -520,30 +522,31 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                      ,@(alist-delete "bdw-gc"
                                      (package-propagated-inputs guile-2.2))))
                   (arguments
-                   `(;; When `configure' checks for ltdl availability, it
-                     ;; doesn't try to link using libtool, and thus fails
-                     ;; because of a missing -ldl.  Work around that.
-                     #:configure-flags '("LDFLAGS=-ldl")
-
-                     #:phases (alist-cons-before
-                               'configure 'static-guile
-                               (lambda _
-                                 (substitute* "libguile/Makefile.in"
-                                   ;; Create a statically-linked `guile'
-                                   ;; executable.
-                                   (("^guile_LDFLAGS =")
-                                    "guile_LDFLAGS = -all-static")
-
-                                   ;; Add `-ldl' *after* libguile-2.2.la.
-                                   (("^guile_LDADD =(.*)$" _ ldadd)
-                                    (string-append "guile_LDADD = "
-                                                   (string-trim-right ldadd)
-                                                   " -ldl\n"))))
-                               %standard-phases)
-
-                     ;; There are uses of `dynamic-link' in
-                     ;; {foreign,coverage}.test that don't fly here.
-                     #:tests? #f)))))
+                   (substitute-keyword-arguments (package-arguments guile-2.2)
+                     ((#:configure-flags flags '())
+                      ;; When `configure' checks for ltdl availability, it
+                      ;; doesn't try to link using libtool, and thus fails
+                      ;; because of a missing -ldl.  Work around that.
+                      ''("LDFLAGS=-ldl"))
+                     ((#:phases phases '%standard-phases)
+                      `(modify-phases ,phases
+                         (add-before 'configure 'static-guile
+                           (lambda _
+                             (substitute* "libguile/Makefile.in"
+                               ;; Create a statically-linked `guile'
+                               ;; executable.
+                               (("^guile_LDFLAGS =")
+                                "guile_LDFLAGS = -all-static")
+
+                               ;; Add `-ldl' *after* libguile-2.2.la.
+                               (("^guile_LDADD =(.*)$" _ ldadd)
+                                (string-append "guile_LDADD = "
+                                               (string-trim-right ldadd)
+                                               " -ldl\n")))))))
+                     ((#:tests? _ #f)
+                      ;; There are uses of `dynamic-link' in
+                      ;; {foreign,coverage}.test that don't fly here.
+                      #f))))))
     (package-with-relocatable-glibc (static-package guile))))
 
 (define %guile-static-stripped
diff --git a/gnu/packages/man.scm b/gnu/packages/man.scm
index 2c91f012ae..ac3f2b74bd 100644
--- a/gnu/packages/man.scm
+++ b/gnu/packages/man.scm
@@ -186,7 +186,7 @@ Linux kernel and C library interfaces employed by user-space programs.")
 (define-public help2man
   (package
     (name "help2man")
-    (version "1.47.4")
+    (version "1.47.5")
     (source
      (origin
       (method url-fetch)
@@ -194,7 +194,7 @@ Linux kernel and C library interfaces employed by user-space programs.")
                           version ".tar.xz"))
       (sha256
        (base32
-        "0lvp4306f5nq08f3snffs5pp1zwv8l35z6f5g0dds51zs6bzdv6l"))))
+        "1cb14kp380jzk1yi4i7x9d8qplc8c5mgcbgycgs9ggpx34jhp9kw"))))
     (build-system gnu-build-system)
     (arguments `(;; There's no `check' target.
                  #:tests? #f))
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index bce6627379..11d336a691 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -464,12 +464,6 @@ large scale eigenvalue problems.")
               ("python" ,python-2)))
     (arguments
      `(#:configure-flags (list
-                          ;; Install to PREFIX/lib (the default is
-                          ;; PREFIX/lib64).
-                          (string-append "-DCMAKE_INSTALL_LIBDIR="
-                                         (assoc-ref %outputs "out")
-                                         "/lib")
-
                           "-DBUILD_SHARED_LIBS:BOOL=YES"
                           "-DLAPACKE=ON"
 
@@ -1361,6 +1355,7 @@ script files.")
                "https://github.com/tpaviot/oce/archive/OCE-"
                version
                ".tar.gz"))
+        (patches (search-patches "opencascade-oce-glibc-2.26.patch"))
         (sha256
           (base32
             "0vpmnb0k5y2f7lpmwx9pg9yfq24zjvnsak5alzacncfm1hv9b6cd"))))
@@ -1963,8 +1958,7 @@ void mc64ad_ (int *a, int *b, int *c, int *d, int *e, double *f, int *g,
     (arguments
      `(#:configure-flags '("-Denable_blaslib:BOOL=NO" ;do not use internal cblas
                            "-DTPL_BLAS_LIBRARIES=openblas"
-                           "-DBUILD_SHARED_LIBS:BOOL=YES"
-                           "-DCMAKE_INSTALL_LIBDIR=lib")))
+                           "-DBUILD_SHARED_LIBS:BOOL=YES")))
     (home-page "http://crd-legacy.lbl.gov/~xiaoye/SuperLU/")
     (synopsis "Supernodal direct solver for sparse linear systems")
     (description
@@ -2617,7 +2611,7 @@ parts of it.")
 (define-public openblas
   (package
     (name "openblas")
-    (version "0.2.19")
+    (version "0.2.20")
     (source
      (origin
        (method url-fetch)
@@ -2626,10 +2620,10 @@ parts of it.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "071zqnmnxhh0c9phzyn3f198yxa0hjxda7016azdbq2056sm70w7"))))
+         "1bd03c5xni0bla0wg1wba841b36b0sg13sjja955kn5xzvy4i61a"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f  ;no "check" target
+     `(#:test-target "test"
        ;; DYNAMIC_ARCH is only supported on x86.  When it is disabled and no
        ;; TARGET is specified, OpenBLAS will tune itself to the build host, so
        ;; we need to disable substitutions.
@@ -3581,11 +3575,7 @@ as equations, scalars, vectors, and matrices.")
              "-DINSTALL_PYTHON_BINDINGS=true"
              (string-append "-DCMAKE_INSTALL_PYTHON_PKG_DIR="
                             %output
-                            "/lib/python2.7/site-packages")
-             (string-append "-DCMAKE_INSTALL_LIBDIR="
-                            %output
-                            "/lib"))
-
+                            "/lib/python2.7/site-packages"))
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'bootstrap
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index 3107bbb979..8bd4a848fe 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -89,13 +89,13 @@ algebra.")
 (define-public mpfr
   (package
    (name "mpfr")
-   (version "3.1.5")
+   (version "3.1.6")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/mpfr/mpfr-" version
                                 ".tar.xz"))
             (sha256 (base32
-                     "1g32l2fg8f62lcyzzh88y3fsh6rk539qc6ahhdgvx7wpnf1dwpq1"))))
+                     "0l598h9klpgkz2bp0rxiqb90mkqh9f2f81n5rpy191j00hdaqqks"))))
    (build-system gnu-build-system)
    (outputs '("out" "debug"))
    (propagated-inputs `(("gmp" ,gmp)))            ; <mpfr.h> refers to <gmp.h>
diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm
index 3d01fe6163..548261289e 100644
--- a/gnu/packages/ncurses.scm
+++ b/gnu/packages/ncurses.scm
@@ -1,10 +1,11 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -39,12 +40,12 @@
 (define-public ncurses
   (package
     (name "ncurses")
-    (version "6.0")
+    (version "6.0-20170930")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/ncurses/ncurses-"
-                                  version ".tar.gz"))
-              (patches (search-patches "ncurses-CVE-2017-10684-10685.patch"))
+                                  (car (string-split version #\-))
+                                  ".tar.gz"))
               (sha256
                (base32
                 "0q3jck7lna77z5r42f13c4xglc7azd19pxfrjrpgp2yf615w4lgm"))))
@@ -72,6 +73,12 @@
                                    (cons (string-append "--host=" target)
                                          configure-flags)
                                    configure-flags))))))
+           (apply-rollup-patch-phase
+            '(lambda* (#:key inputs native-inputs #:allow-other-keys)
+               (copy-file (assoc-ref (or native-inputs inputs) "rollup-patch")
+                          (string-append (getcwd) "/rollup-patch.sh.bz2"))
+               (and (zero? (system* "bzip2" "-d" "rollup-patch.sh.bz2"))
+                    (zero? (system* "sh" "rollup-patch.sh")))))
            (remove-shebang-phase
             '(lambda _
                ;; To avoid retaining a reference to the bootstrap Bash via the
@@ -167,6 +174,8 @@
               ,@(if (target-mingw?) '("--enable-term-driver") '()))))
          #:tests? #f                  ; no "check" target
          #:phases (modify-phases %standard-phases
+                    (add-after 'unpack 'apply-rollup-patch
+                      ,apply-rollup-patch-phase)
                     (replace 'configure ,configure-phase)
                     (add-after 'install 'post-install
                       ,post-install-phase)
@@ -175,8 +184,23 @@
                     (add-after 'unpack 'remove-unneeded-shebang
                       ,remove-shebang-phase)))))
     (self-native-input? #t)           ; for `tic'
-     (native-inputs
-      `(("pkg-config" ,pkg-config)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+
+       ;; Ncurses distributes "stable" patchsets to be applied on top
+       ;; of the release tarball.  These are only available as shell
+       ;; scripts(!) so we decompress and apply them in a phase.
+       ;; See <https://invisible-mirror.net/archives/ncurses/6.0/README>.
+       ("rollup-patch"
+        ,(origin
+           (method url-fetch)
+           (uri (string-append
+                 "https://invisible-mirror.net/archives/ncurses/"
+                 (car (string-split version #\-))
+                 "/ncurses-" version "-patch.sh.bz2"))
+           (sha256
+            (base32
+             "08a1pp8wnj1fwpa1pz3fgrmd6xwp21idniswqz8lx3w3z2nb4ydi"))))))
     (native-search-paths
      (list (search-path-specification
             (variable "TERMINFO_DIRS")
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index e4e0eedc05..67a3062a5a 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -60,14 +61,14 @@ themselves.")
   ;; This version is not API-compatible with version 2.  In particular, lsh
   ;; cannot use it yet.  So keep it separate.
   (package (inherit nettle-2)
-    (version "3.3")
+    (version "3.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/nettle/nettle-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "07mif3af077763vc35s1x8vzhzlgqcgxh67c1xr13jnhslkjd526"))))
+                "150y8655h629wn946dvzasq16qxsc1m9nf58mifvhl350bgl4ymf"))))
     (arguments
      (substitute-keyword-arguments (package-arguments nettle-2)
        ((#:configure-flags flags)
diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 2c55d6793a..26eb1820e6 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -38,6 +38,7 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system glib-or-gtk)
   #:use-module (guix build-system gnu)
@@ -1422,49 +1423,52 @@ updates to the zebra daemon.")
     (license license:gpl2+)))
 
 (define-public thc-ipv6
-  (package
-    (name "thc-ipv6")
-    (version "3.2")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://github.com/vanhauser-thc/thc-ipv6/"
-                                  "archive/" version ".tar.gz"))
-              (file-name (string-append name "-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0yh2lpsazmm0pgbmh0dx023w6fss1kdfyr4cq7yw0fac8vkw32d3"))))
-    (build-system gnu-build-system)
-    (arguments
-     `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
-       #:tests? #f ; No test suite.
-       #:phases
-       (modify-phases %standard-phases
-         (delete 'configure) ; No ./configure script.
-         (add-before 'build 'patch-paths
-           (lambda _
-             (substitute* "Makefile"
-               (("/bin/echo") "echo"))
-             #t))
-         (add-after 'install 'install-more-docs
-           (lambda* (#:key outputs #:allow-other-keys)
-             (let* ((out (assoc-ref outputs "out"))
-                    (doc (string-append out "/share/thc-ipv6/doc")))
-               (install-file "README" doc)
-               (install-file "HOWTO-INJECT" doc)
-               #t))))))
-    ;; TODO Add libnetfilter-queue once packaged.
-    (inputs
-     `(("libpcap" ,libpcap)
-       ("openssl" ,openssl)
-       ("perl" ,perl)))
-    (home-page "https://github.com/vanhauser-thc/thc-ipv6")
-    (synopsis "IPv6 security research toolkit")
-    (description "The THC IPv6 Toolkit provides command-line tools and a library
+  (let ((revision "0")
+        (commit "4bb72573e0950ce6f8ca2800a10748477020029e"))
+    (package
+      (name "thc-ipv6")
+      (version (git-version "3.4" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                       (url "https://github.com/vanhauser-thc/thc-ipv6.git")
+                       (commit commit)))
+                (file-name (git-file-name name version))
+                (sha256
+                 (base32
+                  "1x5i6vbsddqc2yks7r1a2fw2fk16qxvd6hpzh1lykjfpkal8fdir"))))
+      (build-system gnu-build-system)
+      (arguments
+       `(#:make-flags (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
+         #:tests? #f ; No test suite.
+         #:phases
+         (modify-phases %standard-phases
+           (delete 'configure) ; No ./configure script.
+           (add-before 'build 'patch-paths
+             (lambda _
+               (substitute* "Makefile"
+                 (("/bin/echo") "echo"))
+               #t))
+           (add-after 'install 'install-more-docs
+             (lambda* (#:key outputs #:allow-other-keys)
+               (let* ((out (assoc-ref outputs "out"))
+                      (doc (string-append out "/share/thc-ipv6/doc")))
+                 (install-file "README" doc)
+                 (install-file "HOWTO-INJECT" doc)
+                 #t))))))
+      ;; TODO Add libnetfilter-queue once packaged.
+      (inputs
+       `(("libpcap" ,libpcap)
+         ("openssl" ,openssl)
+         ("perl" ,perl)))
+      (home-page "https://github.com/vanhauser-thc/thc-ipv6")
+      (synopsis "IPv6 security research toolkit")
+      (description "The THC IPv6 Toolkit provides command-line tools and a library
 for researching IPv6 implementations and deployments.  It requires Linux 2.6 or
 newer and only works on Ethernet network interfaces.")
-    ;; AGPL 3 with exception for linking with OpenSSL. See the 'LICENSE' file in
-    ;; the source distribution for more information.
-    (license license:agpl3)))
+      ;; AGPL 3 with exception for linking with OpenSSL. See the 'LICENSE' file in
+      ;; the source distribution for more information.
+      (license license:agpl3))))
 
 (define-public bmon
   (package
diff --git a/gnu/packages/nfs.scm b/gnu/packages/nfs.scm
index 28751c4004..f6bb5b3b71 100644
--- a/gnu/packages/nfs.scm
+++ b/gnu/packages/nfs.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
-;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -47,6 +47,7 @@
              (uri (string-append
                    "mirror://kernel.org/linux/utils/nfs-utils/" version
                    "/nfs-utils-" version ".tar.xz"))
+             (patches (search-patches "nfs-utils-missing-headers.patch"))
              (sha256
               (base32
                "1vqrqzhg9nh2wj1icp7k8v9dibgnn521b45np79nnkmqf16bbbhg"))))
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index fade8b23da..052966ea34 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -41,18 +41,14 @@
 (define-public node
   (package
     (name "node")
-    (version "8.9.1")
+    (version "9.3.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://nodejs.org/dist/v" version
                                   "/node-v" version ".tar.gz"))
               (sha256
                (base32
-                "1qbiz7hgwlirhwpd71c8yzcbwsyi5bjlfp6lxb6v55j6rizinj9j"))
-              ;; See https://github.com/nodejs/node/issues/16688
-              ;; Remove this next update (>8.9.1).
-              (patches
-                (search-patches "node-test-http2-server-rst-stream.patch"))))
+                "19g2pc196rxlj9k5bwhqxdjddvicsx385w7yj6alq9l82lmqycxp"))))
     (build-system gnu-build-system)
     (arguments
      ;; TODO: Purge the bundled copies from the source.
@@ -85,11 +81,24 @@
              ;; test-make-doc needs doc-only target, which is inhibited below
              (for-each delete-file
                        '("test/doctool/test-make-doc.js"))
-             ;; FIXME: This test seems to depends on files that are not
-             ;; available in the bundled v8. See
-             ;; https://github.com/nodejs/node/issues/13344
+             ;; FIXME: These tests depend on being able to install eslint.
+             ;; See https://github.com/nodejs/node/issues/17098.
              (for-each delete-file
-                       '("test/addons-napi/test_general/testInstanceOf.js"))
+                       '("test/parallel/test-eslint-crypto-check.js"
+                         "test/parallel/test-eslint-alphabetize-errors.js"
+                         "test/parallel/test-eslint-buffer-constructor.js"
+                         "test/parallel/test-eslint-documented-errors.js"
+                         "test/parallel/test-eslint-inspector-check.js"
+                         "test/parallel/test-eslint-no-unescaped-regexp-dot.js"
+                         "test/parallel/test-eslint-no-let-in-for-declaration.js"
+                         "test/parallel/test-eslint-prefer-assert-iferror.js"
+                         "test/parallel/test-eslint-prefer-assert-methods.js"
+                         "test/parallel/test-eslint-prefer-common-expectserror.js"
+                         "test/parallel/test-eslint-prefer-common-mustnotcall.js"
+                         "test/parallel/test-eslint-prefer-util-format-errors.js"
+                         "test/parallel/test-eslint-require-buffer.js"
+                         "test/parallel/test-eslint-required-modules.js"))
+
              ;; FIXME: These tests fail in the build container, but they don't
              ;; seem to be indicative of real problems in practice.
              (for-each delete-file
diff --git a/gnu/packages/ocaml.scm b/gnu/packages/ocaml.scm
index eab84c6981..85b2dc8b45 100644
--- a/gnu/packages/ocaml.scm
+++ b/gnu/packages/ocaml.scm
@@ -146,7 +146,7 @@
     (inputs
      `(("libx11" ,libx11)
        ;; For libiberty, needed for objdump support.
-       ("gcc:lib" ,(canonical-package gcc-4.9) "lib")
+       ("gcc:lib" ,(canonical-package gcc) "lib")
        ("zlib" ,zlib)))                       ;also needed for objdump support
     (arguments
      `(#:modules ((guix build gnu-build-system)
diff --git a/gnu/packages/onc-rpc.scm b/gnu/packages/onc-rpc.scm
index a76ac36eab..5997571462 100644
--- a/gnu/packages/onc-rpc.scm
+++ b/gnu/packages/onc-rpc.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2014, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
-;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2017, 2018 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -23,6 +23,8 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (gnu packages)
+  #:use-module (gnu packages autotools)
+  #:use-module (gnu packages gettext)
   #:use-module (gnu packages kerberos)
   #:use-module (gnu packages pkg-config)
   #:use-module (guix build-system gnu))
@@ -30,16 +32,16 @@
 (define-public libtirpc
   (package
     (name "libtirpc")
-    (version "1.0.1")
+    (version "1.0.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libtirpc/libtirpc/"
                                   version "/libtirpc-"
                                   version ".tar.bz2"))
-              (patches (search-patches "libtirpc-CVE-2017-8779.patch"))
+              (patches (search-patches "libtirpc-missing-headers.patch"))
               (sha256
                (base32
-                "17mqrdgsgp9m92pmq7bvr119svdg753prqqxmg4cnz5y657rfmji"))))
+                "1xchbxy0xql7yl7z4n1icj8r7dmly46i22fvm00vdjq64zlmqg3j"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -85,7 +87,8 @@ IPv4 and IPv6.  ONC RPC is notably used by the network file system (NFS).")
      `(#:configure-flags
        `("--with-systemdsystemunitdir=no" "--enable-warmstarts")))
     (inputs
-     `(("libtirpc" ,libtirpc)))
+     `(("libnsl" ,libnsl)
+       ("libtirpc" ,libtirpc)))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (home-page "http://rpcbind.sourceforge.net/")
@@ -95,3 +98,39 @@ IPv4 and IPv6.  ONC RPC is notably used by the network file system (NFS).")
 universal addresses.")
     (license bsd-3)))
 
+
+(define-public libnsl
+  (package
+    (name "libnsl")
+    (version "1.2.0")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://github.com/thkukuk/libnsl/archive/v"
+                                  version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1y6kmxmv1difzvdhx7grqzw0j2v2b74mg4kjb803m8jcgkqqx8m5"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'bootstrap
+           (lambda _
+             (invoke "sh" "autogen.sh"))))))
+    (native-inputs
+     `(("autoconf" ,autoconf)
+       ("automake" ,automake)
+       ("gettext" ,gettext-minimal)
+       ("libtool" ,libtool)
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("libtirpc" ,libtirpc)))
+    (synopsis "Public client interface for NIS(YP) and NIS+")
+    (description "Libnsl is the public client interface for the Network
+Information Service / Yellow Pages (NIS/YP) and NIS+.  It includes IPv6 support.
+This library was part of glibc < 2.26, but is now distributed separately.")
+    (home-page "https://github.com/thkukuk/libnsl")
+    ;; The package is distributed under the LGPL 2.1. Some files in
+    ;; 'src/nisplus/' are LGPL 2.1+, and some files in 'src/rpcsvc/' are BSD-3.
+    (license lgpl2.1)))
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 782d336eea..77fefe5e0f 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -27,6 +27,7 @@
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages backup)
   #:use-module (gnu packages bdw-gc)
+  #:use-module (gnu packages bootstrap)          ;for 'bootstrap-guile-origin'
   #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cpio)
@@ -244,39 +245,19 @@
                        ("graphviz" ,graphviz)
                        ("help2man" ,help2man)))
       (inputs
-       (let ((boot-guile (lambda (arch hash)
-                           (origin
-                             (method url-fetch)
-                             (uri (boot-guile-uri arch))
-                             (sha256 hash)))))
-         `(("bzip2" ,bzip2)
-           ("gzip" ,gzip)
-           ("zlib" ,zlib)                         ;for 'guix publish'
-
-           ("sqlite" ,sqlite)
-           ("libgcrypt" ,libgcrypt)
-           ("guile" ,guile-2.2)
-
-           ("boot-guile/i686"
-            ,(boot-guile "i686"
-                         (base32
-                          "0im800m30abgh7msh331pcbjvb4n02smz5cfzf1srv0kpx3csmxp")))
-           ("boot-guile/x86_64"
-            ,(boot-guile "x86_64"
-                         (base32
-                          "1w2p5zyrglzzniqgvyn1b55vprfzhgk8vzbzkkbdgl5248si0yq3")))
-           ("boot-guile/mips64el"
-            ,(boot-guile "mips64el"
-                         (base32
-                          "0fzp93lvi0hn54acc0fpvhc7bvl0yc853k62l958cihk03q80ilr")))
-           ("boot-guile/armhf"
-            ,(boot-guile "armhf"
-                         (base32
-                          "1mi3brl7l58aww34rawhvja84xc7l1b4hmwdmc36fp9q9mfx0lg5")))
-           ("boot-guile/aarch64"
-            ,(boot-guile "aarch64"
-                         (base32
-                          "1giy2aprjmn5fp9c4s9r125fljw4wv6ixy5739i5bffw4jgr0f9r"))))))
+       `(("bzip2" ,bzip2)
+         ("gzip" ,gzip)
+         ("zlib" ,zlib)                           ;for 'guix publish'
+
+         ("sqlite" ,sqlite)
+         ("libgcrypt" ,libgcrypt)
+         ("guile" ,guile-2.2)
+
+         ("boot-guile/i686" ,(bootstrap-guile-origin "i686-linux"))
+         ("boot-guile/x86_64" ,(bootstrap-guile-origin "x86_64-linux"))
+         ("boot-guile/mips64el" ,(bootstrap-guile-origin "mips64el-linux"))
+         ("boot-guile/armhf" ,(bootstrap-guile-origin "armhf-linux"))
+         ("boot-guile/aarch64" ,(bootstrap-guile-origin "aarch64-linux"))))
       (propagated-inputs
        `(("gnutls" ,gnutls)
          ("guile-json" ,guile-json)
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 6824210341..07197de0d5 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -99,10 +99,6 @@ human.")
         (base32
          "1pfkq1m5vb90kx67vyw70s1hc4ivjsvq2535vm6wdwwsncna6bz5"))))
     (build-system cmake-build-system)
-    (arguments
-     `(#:configure-flags
-       (list (string-append "-DCMAKE_INSTALL_LIBDIR="
-                            (assoc-ref %outputs "out") "/lib"))))
     (inputs
      `(("libgcrypt" ,libgcrypt)
        ("libxi" ,libxi)
diff --git a/gnu/packages/patches/acl-fix-perl-regex.patch b/gnu/packages/patches/acl-fix-perl-regex.patch
new file mode 100644
index 0000000000..f682abc058
--- /dev/null
+++ b/gnu/packages/patches/acl-fix-perl-regex.patch
@@ -0,0 +1,22 @@
+This can be removed with the next acl release
+
+---
+ test/run | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/run b/test/run
+index 2cf52e8..4627cd2 100755
+--- a/test/run
++++ b/test/run
+@@ -70,7 +70,7 @@ for (;;) {
+   if (defined $line) {
+     # Substitute %VAR and %{VAR} with environment variables.
+     $line =~ s[%(\w+)][$ENV{$1}]eg;
+-    $line =~ s[%{(\w+)}][$ENV{$1}]eg;
++    $line =~ s[%\{(\w+)\}][$ENV{$1}]eg;
+   }
+   if (defined $line) {
+     if ($line =~ s/^\s*< ?//) {
+-- 
+2.15.0
+
diff --git a/gnu/packages/patches/automake-regexp-syntax.patch b/gnu/packages/patches/automake-regexp-syntax.patch
deleted file mode 100644
index 2e965c8c50..0000000000
--- a/gnu/packages/patches/automake-regexp-syntax.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From <https://lists.gnu.org/archive/html/automake-patches/2015-07/msg00000.html>.
-See also <http://bugs.gnu.org/22372>.
-
-From 34163794a58b5bd91c5d6bd9adf5437571c7a479 Mon Sep 17 00:00:00 2001
-From: Pavel Raiskup <praiskup@redhat.com>
-Date: Tue, 7 Jul 2015 10:54:24 +0200
-Subject: [PATCH] bin/automake: escape '{' in regexp pattern
-
-Based on perlre(1) documentation:
-.. in Perl v5.26, literal uses of a curly bracket will be required
-to be escaped, say by preceding them with a backslash ("\{" ) or
-enclosing them within square brackets ("[{]") ..
-
-References:
-https://bugzilla.redhat.com/1239379
-
-* bin/automake.in (substitute_ac_subst_variables): Escape the
-occurrence of '{' character.
----
- bin/automake.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/bin/automake.in b/bin/automake.in
-index 0c29184..c294ced 100644
---- a/bin/automake.in
-+++ b/bin/automake.in
-@@ -3898,7 +3898,7 @@ sub substitute_ac_subst_variables_worker
- sub substitute_ac_subst_variables
- {
-   my ($text) = @_;
--  $text =~ s/\${([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
-+  $text =~ s/\$\{([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
-   return $text;
- }
diff --git a/gnu/packages/patches/automake-test-gzip-warning.patch b/gnu/packages/patches/automake-test-gzip-warning.patch
deleted file mode 100644
index bcc9c207ae..0000000000
--- a/gnu/packages/patches/automake-test-gzip-warning.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Adjust test to ignore gzip 1.8+ warnings.
-
---- automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh	2016-06-14 00:36:26.554218552 +0200
-+++ automake-1.15/t/distcheck-no-prefix-or-srcdir-override.sh	2016-06-14 00:37:52.903157770 +0200
-@@ -49,7 +49,11 @@ grep "cannot find sources.* in foobar" s
- 
- ./configure
- run_make -E -O distcheck
--test ! -s stderr
-+
-+# Gzip 1.8+ emits warnings like "gzip: warning: GZIP environment
-+# variable is deprecated"; filter them out.
-+test `grep -v '^gzip: warning' stderr | wc -l` -eq 0
-+
- # Sanity check: the flags have been actually seen.
- $PERL -e 'undef $/; $_ = <>; s/ \\\n/ /g; print;' <stdout >t
- grep '/configure .* --srcdir am-src'   t || exit 99
diff --git a/gnu/packages/patches/avahi-localstatedir.patch b/gnu/packages/patches/avahi-localstatedir.patch
index 76377d1057..a531e99b67 100644
--- a/gnu/packages/patches/avahi-localstatedir.patch
+++ b/gnu/packages/patches/avahi-localstatedir.patch
@@ -2,11 +2,11 @@ Don't "mkdir $(localstatedir)" since we can't do it (/var).
 
 --- avahi-0.6.27/avahi-daemon/Makefile.in	2010-07-13 05:06:35.000000000 +0200
 +++ avahi-0.6.27/avahi-daemon/Makefile.in	2010-07-13 18:03:45.000000000 +0200
-@@ -1554,7 +1554,6 @@ xmllint:
+@@ -1625,7 +1625,6 @@
  	done
  
  install-data-local:
--	test -z "$(localstatedir)/run" || $(mkdir_p) "$(DESTDIR)$(localstatedir)/run"
+-	test -z "$(avahi_runtime_dir)" || $(MKDIR_P) "$(DESTDIR)$(avahi_runtime_dir)"
  
  update-systemd:
  	curl http://cgit.freedesktop.org/systemd/plain/src/sd-daemon.c > sd-daemon.c
diff --git a/gnu/packages/patches/clang-runtime-asan-build-fixes.patch b/gnu/packages/patches/clang-runtime-asan-build-fixes.patch
new file mode 100644
index 0000000000..e9db57d7cb
--- /dev/null
+++ b/gnu/packages/patches/clang-runtime-asan-build-fixes.patch
@@ -0,0 +1,92 @@
+This patch works around build issues in libsanitizer.  Note that we carry the
+same patches for GCC since it includes the same libsanitizer.
+
+Work around this build error on glibc 2.26:
+
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/asan/asan_linux.cc: In function 'bool __asan::AsanInterceptsSignal(int)':
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/asan/asan_linux.cc:224:20: error: 'SIGSEGV' was not declared in this scope
+
+diff --git a/libsanitizer/asan/asan_linux.cc b/libsanitizer/asan/asan_linux.cc
+index c504168..59087b9 100644
+--- a/lib/asan/asan_linux.cc
++++ b/lib/asan/asan_linux.cc
+@@ -29,6 +29,7 @@
+ #include <dlfcn.h>
+ #include <fcntl.h>
+ #include <pthread.h>
++#include <signal.h>
+ #include <stdio.h>
+ #include <unistd.h>
+ #include <unwind.h>
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Now, work around this other error:
+
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc: In function 'int __sanitizer::TracerThread(void*)':
+  /tmp/guix-build-clang-runtime-3.5.2.drv-0/compiler-rt-3.5.2.src/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc:239:22: error: aggregate 'sigaltstack handler_stack' has incomplete type and cannot be defined
+
+
+diff --git a/lib/sanitizer_common/sanitizer_linux.cc b/lib/sanitizer_common/sanitizer_linux.cc
+index 2cefa20..223d9c6 100644
+--- a/lib/sanitizer_common/sanitizer_linux.cc
++++ b/lib/sanitizer_common/sanitizer_linux.cc
+@@ -546,8 +546,7 @@ uptr internal_prctl(int option, uptr arg2, uptr arg3, uptr arg4, uptr arg5) {
+ }
+ #endif
+ 
+-uptr internal_sigaltstack(const struct sigaltstack *ss,
+-                         struct sigaltstack *oss) {
++uptr internal_sigaltstack(const void *ss, void *oss) {
+   return internal_syscall(SYSCALL(sigaltstack), (uptr)ss, (uptr)oss);
+ }
+ 
+diff --git a/lib/sanitizer_common/sanitizer_linux.h b/lib/sanitizer_common/sanitizer_linux.h
+index 4497702..1594058 100644
+--- a/lib/sanitizer_common/sanitizer_linux.h
++++ b/lib/sanitizer_common/sanitizer_linux.h
+@@ -19,7 +19,6 @@
+ #include "sanitizer_platform_limits_posix.h"
+ 
+ struct link_map;  // Opaque type returned by dlopen().
+-struct sigaltstack;
+ 
+ namespace __sanitizer {
+ // Dirent structure for getdents(). Note that this structure is different from
+@@ -28,8 +27,7 @@ struct linux_dirent;
+ 
+ // Syscall wrappers.
+ uptr internal_getdents(fd_t fd, struct linux_dirent *dirp, unsigned int count);
+-uptr internal_sigaltstack(const struct sigaltstack* ss,
+-                          struct sigaltstack* oss);
++uptr internal_sigaltstack(const void* ss, void* oss);
+ uptr internal_sigprocmask(int how, __sanitizer_sigset_t *set,
+     __sanitizer_sigset_t *oldset);
+ void internal_sigfillset(__sanitizer_sigset_t *set);
+diff --git a/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc b/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+index c919e4f..014162af 100644
+--- a/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
++++ b/lib/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+@@ -267,7 +267,7 @@ static int TracerThread(void* argument) {
+ 
+   // Alternate stack for signal handling.
+   InternalScopedBuffer<char> handler_stack_memory(kHandlerStackSize);
+-  struct sigaltstack handler_stack;
++  stack_t handler_stack;
+   internal_memset(&handler_stack, 0, sizeof(handler_stack));
+   handler_stack.ss_sp = handler_stack_memory.data();
+   handler_stack.ss_size = kHandlerStackSize;
+diff --git a/lib/tsan/tsan_platform_linux.cc b/lib/tsan/tsan_platform_linux.cc
+index 09cec5f..908f4fe 100644
+--- a/lib/tsan/rtl/tsan_platform_linux.cc
++++ b/lib/tsan/rtl/tsan_platform_linux.cc
+@@ -291,7 +291,7 @@ bool IsGlobalVar(uptr addr) {
+ int ExtractResolvFDs(void *state, int *fds, int nfd) {
+ #if SANITIZER_LINUX
+   int cnt = 0;
+-  __res_state *statp = (__res_state*)state;
++  struct __res_state *statp = (struct __res_state*)state;
+   for (int i = 0; i < MAXNS && cnt < nfd; i++) {
+     if (statp->_u._ext.nsaddrs[i] && statp->_u._ext.nssocks[i] != -1)
+       fds[cnt++] = statp->_u._ext.nssocks[i];
+-- 
+2.9.3
diff --git a/gnu/packages/patches/clang-runtime-esan-build-fixes.patch b/gnu/packages/patches/clang-runtime-esan-build-fixes.patch
new file mode 100644
index 0000000000..743051ac15
--- /dev/null
+++ b/gnu/packages/patches/clang-runtime-esan-build-fixes.patch
@@ -0,0 +1,19 @@
+Fix esan compilation against glibc 2.26:
+
+  /tmp/guix-build-clang-runtime-3.9.1.drv-0/compiler-rt-3.9.1.src/lib/esan/esan_sideline_linux.cpp: In static member function ‘static int __esan::SidelineThread::runSideline(void*)’:
+  /tmp/guix-build-clang-runtime-3.9.1.drv-0/compiler-rt-3.9.1.src/lib/esan/esan_sideline_linux.cpp:73:22: error: aggregate ‘__esan::SidelineThread::runSideline(void*)::sigaltstack SigAltStack’ has incomplete type and cannot be defined
+
+Patch from <https://github.com/google/sanitizers/issues/822>.
+
+index d04f5909d..bc272dfe4 100644
+--- a/lib/esan/esan_sideline_linux.cpp
++++ b/lib/esan/esan_sideline_linux.cpp
+@@ -70,7 +70,7 @@ int SidelineThread::runSideline(void *Arg) {
+ 
+   // Set up a signal handler on an alternate stack for safety.
+   InternalScopedBuffer<char> StackMap(SigAltStackSize);
+-  struct sigaltstack SigAltStack;
++  stack_t SigAltStack;
+   SigAltStack.ss_sp = StackMap.data();
+   SigAltStack.ss_size = SigAltStackSize;
+   SigAltStack.ss_flags = 0;
diff --git a/gnu/packages/patches/clisp-glibc-2.26.patch b/gnu/packages/patches/clisp-glibc-2.26.patch
new file mode 100644
index 0000000000..c8920ceccc
--- /dev/null
+++ b/gnu/packages/patches/clisp-glibc-2.26.patch
@@ -0,0 +1,20 @@
+This patch comes from Debian.
+
+Description: cfree is not present in glibc-2.26, stop wrapping it
+Author: Adam Conrad <adconrad@ubuntu.com>
+Bug: https://sourceforge.net/p/clisp/bugs/717/
+Bug-Debian: https://bugs.debian.org/880686
+Applied-Upstream: https://sourceforge.net/p/clisp/clisp/ci/3bc928712d150ff1e5f6b2bfb7838655f3ff52fa/
+Reviewed-By: Sébastien Villemot <sebastien@debian.org>
+Last-Update: 2017-11-27
+
+--- clisp-2.49.20170913.orig/modules/bindings/glibc/linux.lisp
++++ clisp-2.49.20170913/modules/bindings/glibc/linux.lisp
+@@ -649,7 +649,6 @@
+ (def-call-out calloc (:arguments (nmemb size_t) (size size_t))
+   (:return-type c-pointer))
+ (def-call-out free (:arguments (ptr c-pointer)) (:return-type nil))
+-(def-call-out cfree (:arguments (ptr c-pointer)) (:return-type nil))
+ (def-call-out valloc (:arguments (size size_t)) (:return-type c-pointer))
+ 
+ (def-call-out abort (:arguments) (:return-type nil))
diff --git a/gnu/packages/patches/coreutils-cut-huge-range-test.patch b/gnu/packages/patches/coreutils-cut-huge-range-test.patch
deleted file mode 100644
index e3a0ef28eb..0000000000
--- a/gnu/packages/patches/coreutils-cut-huge-range-test.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-This patch fixes 100% reproducible test failures on arm-linux-gnueabihf in our
-the build environment chroot, as reported at <https://bugs.gnu.org/26253>,
-and now on x86_64-linux-gnu as well.  It is a variant of this upstream patch:
-
-  commit f5422009389678680dba9ff4ecb7d33632ee3383
-  Author: Ludovic Courtès <ludo@gnu.org>
-  Date:   Mon Mar 27 20:34:39 2017 -0700
-
-      tests: avoid false ulimit failure on some systems
-
-      * tests/misc/cut-huge-range.sh: On some systems returns_ may
-      use more memory, so incorporate that in the determination
-      of the ulimit value to use.  Noticed on ARMv7 with bash-4.4.12,
-      and x86_64 with bash-4.2.37.
-      Fixes http://bugs.gnu.org/26253
-
-... which appeared to be insufficient.
-
-diff --git a/tests/misc/cut-huge-range.sh b/tests/misc/cut-huge-range.sh
-index 6b3c5b6ed..55b7b640e 100755
---- a/tests/misc/cut-huge-range.sh
-+++ b/tests/misc/cut-huge-range.sh
-@@ -20,9 +20,9 @@
- print_ver_ cut
- getlimits_
- 
--vm=$(get_min_ulimit_v_ cut -b1 /dev/null) \
-+vm=$(get_min_ulimit_v_ sh -c 'cut -b1 /dev/null') \
-   || skip_ "this shell lacks ulimit support"
- vm=$(($vm + 1000)) # avoid spurious failures
- 
- # sed script to subtract one from the input.
- # Each input line should consist of a positive decimal number.
diff --git a/gnu/packages/patches/diffutils-getopt.patch b/gnu/packages/patches/diffutils-getopt.patch
new file mode 100644
index 0000000000..05c2504adf
--- /dev/null
+++ b/gnu/packages/patches/diffutils-getopt.patch
@@ -0,0 +1,44 @@
+commit e3461d1c21a99bcef1b8826f710434e0ffb5adea
+Author: Paul Eggert <eggert@cs.ucla.edu>
+Date:   Sun Jun 11 15:53:09 2017 -0700
+
+    getopt-posix: port to glibc 2.25.90
+    
+    Problem reported by Daniel P. Berrange in:
+    http://lists.gnu.org/archive/html/bug-gnulib/2017-06/msg00003.html
+    * lib/getopt-pfx-core.h (_GETOPT_CORE_H):
+    * lib/getopt-pfx-ext.h (_GETOPT_EXT_H):
+    #undef if __GETOPT_PREFIX is defined.
+
+diff --git a/lib/getopt-pfx-core.h b/lib/getopt-pfx-core.h
+index 155c11612..6ad0da683 100644
+--- a/lib/getopt-pfx-core.h
++++ b/lib/getopt-pfx-core.h
+@@ -47,6 +47,11 @@
+ # define opterr __GETOPT_ID (opterr)
+ # define optind __GETOPT_ID (optind)
+ # define optopt __GETOPT_ID (optopt)
++
++/* The system's getopt.h may have already included getopt-core.h to
++   declare the unprefixed identifiers.  Undef _GETOPT_CORE_H so that
++   getopt-core.h declares them with prefixes.  */
++# undef _GETOPT_CORE_H
+ #endif
+ 
+ #include <getopt-core.h>
+diff --git a/lib/getopt-pfx-ext.h b/lib/getopt-pfx-ext.h
+index d960bb34e..c5ac52202 100644
+--- a/lib/getopt-pfx-ext.h
++++ b/lib/getopt-pfx-ext.h
+@@ -45,6 +45,11 @@
+ # define getopt_long_only __GETOPT_ID (getopt_long_only)
+ # define option __GETOPT_ID (option)
+ # define _getopt_internal __GETOPT_ID (getopt_internal)
++
++/* The system's getopt.h may have already included getopt-ext.h to
++   declare the unprefixed identifiers.  Undef _GETOPT_EXT_H so that
++   getopt-ext.h declares them with prefixes.  */
++# undef _GETOPT_EXT_H
+ #endif
+ 
+ /* Standalone applications get correct prototypes for getopt_long and
diff --git a/gnu/packages/patches/docbook-xsl-nonrecursive-string-subst.patch b/gnu/packages/patches/docbook-xsl-nonrecursive-string-subst.patch
new file mode 100644
index 0000000000..4199dd18a5
--- /dev/null
+++ b/gnu/packages/patches/docbook-xsl-nonrecursive-string-subst.patch
@@ -0,0 +1,39 @@
+Use a non-recursive replace function when the parser supports it.
+
+https://bugs.gnu.org/29782
+https://bugzilla.samba.org/show_bug.cgi?id=9515
+https://bugzilla.gnome.org/show_bug.cgi?id=736077 (for xsltproc)
+
+Patch copied from Debian:
+https://anonscm.debian.org/cgit/collab-maint/docbook-xsl.git/tree/debian/patches/765567_non-recursive_string_subst.patch
+
+Description: use EXSLT "replace" function when available
+ A recursive implementation  of string.subst is problematic,
+ long strings with many matches will cause stack overflows.
+Author: Peter De Wachter <pdewacht@gmail.com>
+Bug-Debian: https://bugs.debian.org/750593
+
+--- a/lib/lib.xsl
++++ b/lib/lib.xsl
+@@ -10,7 +10,10 @@
+      This module implements DTD-independent functions
+ 
+      ******************************************************************** -->
+-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
++                xmlns:str="http://exslt.org/strings"
++                exclude-result-prefixes="str"
++                version="1.0">
+ 
+ <xsl:template name="dot.count">
+   <!-- Returns the number of "." characters in a string -->
+@@ -56,6 +59,9 @@
+   <xsl:param name="replacement"/>
+ 
+   <xsl:choose>
++    <xsl:when test="function-available('str:replace')">
++      <xsl:value-of select="str:replace($string, string($target), string($replacement))"/>
++    </xsl:when>
+     <xsl:when test="contains($string, $target)">
+       <xsl:variable name="rest">
+         <xsl:call-template name="string.subst">
diff --git a/gnu/packages/patches/findutils-gnulib-multi-core.patch b/gnu/packages/patches/findutils-gnulib-multi-core.patch
deleted file mode 100644
index 5a37f4f1f9..0000000000
--- a/gnu/packages/patches/findutils-gnulib-multi-core.patch
+++ /dev/null
@@ -1,294 +0,0 @@
-This patch fixes performance problems on multi-core machines
-as reported at <https://bugs.gnu.org/26441>.
-
-See commit 480d374e596a0ee3fed168ab42cd84c313ad3c89 in Gnulib
-by Bruno Haible <bruno@clisp.org>.
-
-diff --git a/tests/test-lock.c b/tests/test-lock.c
-index a992f64..fb18dee 100644
---- a/tests/test-lock.c
-+++ b/tests/test-lock.c
-@@ -1,5 +1,5 @@
- /* Test of locking in multithreaded situations.
--   Copyright (C) 2005, 2008-2015 Free Software Foundation, Inc.
-+   Copyright (C) 2005, 2008-2017 Free Software Foundation, Inc.
- 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-@@ -50,6 +50,28 @@
-    Uncomment this to see if the operating system has a fair scheduler.  */
- #define EXPLICIT_YIELD 1
- 
-+/* Whether to use 'volatile' on some variables that communicate information
-+   between threads.  If set to 0, a semaphore or a lock is used to protect
-+   these variables.  If set to 1, 'volatile' is used; this is theoretically
-+   equivalent but can lead to much slower execution (e.g. 30x slower total
-+   run time on a 40-core machine), because 'volatile' does not imply any
-+   synchronization/communication between different CPUs.  */
-+#define USE_VOLATILE 0
-+
-+#if USE_POSIX_THREADS && HAVE_SEMAPHORE_H
-+/* Whether to use a semaphore to communicate information between threads.
-+   If set to 0, a lock is used. If set to 1, a semaphore is used.
-+   Uncomment this to reduce the dependencies of this test.  */
-+# define USE_SEMAPHORE 1
-+/* Mac OS X provides only named semaphores (sem_open); its facility for
-+   unnamed semaphores (sem_init) does not work.  */
-+# if defined __APPLE__ && defined __MACH__
-+#  define USE_NAMED_SEMAPHORE 1
-+# else
-+#  define USE_UNNAMED_SEMAPHORE 1
-+# endif
-+#endif
-+
- /* Whether to print debugging messages.  */
- #define ENABLE_DEBUGGING 0
- 
-@@ -90,6 +112,12 @@
- 
- #include "glthread/thread.h"
- #include "glthread/yield.h"
-+#if USE_SEMAPHORE
-+# include <errno.h>
-+# include <fcntl.h>
-+# include <semaphore.h>
-+# include <unistd.h>
-+#endif
- 
- #if ENABLE_DEBUGGING
- # define dbgprintf printf
-@@ -103,6 +131,132 @@
- # define yield()
- #endif
- 
-+#if USE_VOLATILE
-+struct atomic_int {
-+  volatile int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  return ai->value;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  ai->value = new_value;
-+}
-+#elif USE_SEMAPHORE
-+/* This atomic_int implementation can only support the values 0 and 1.
-+   It is initially 0 and can be set to 1 only once.  */
-+# if USE_UNNAMED_SEMAPHORE
-+struct atomic_int {
-+  sem_t semaphore;
-+};
-+#define atomic_int_semaphore(ai) (&(ai)->semaphore)
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+  sem_init (&ai->semaphore, 0, 0);
-+}
-+# endif
-+# if USE_NAMED_SEMAPHORE
-+struct atomic_int {
-+  sem_t *semaphore;
-+};
-+#define atomic_int_semaphore(ai) ((ai)->semaphore)
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+  sem_t *s;
-+  unsigned int count;
-+  for (count = 0; ; count++)
-+    {
-+      char name[80];
-+      /* Use getpid() in the name, so that different processes running at the
-+         same time will not interfere.  Use ai in the name, so that different
-+         atomic_int in the same process will not interfere.  Use a count in
-+         the name, so that even in the (unlikely) case that a semaphore with
-+         the specified name already exists, we can try a different name.  */
-+      sprintf (name, "test-lock-%lu-%p-%u",
-+               (unsigned long) getpid (), ai, count);
-+      s = sem_open (name, O_CREAT | O_EXCL, 0600, 0);
-+      if (s == SEM_FAILED)
-+        {
-+          if (errno == EEXIST)
-+            /* Retry with a different name.  */
-+            continue;
-+          else
-+            {
-+              perror ("sem_open failed");
-+              abort ();
-+            }
-+        }
-+      else
-+        {
-+          /* Try not to leave a semaphore hanging around on the file system
-+             eternally, if we can avoid it.  */
-+          sem_unlink (name);
-+          break;
-+        }
-+    }
-+  ai->semaphore = s;
-+}
-+# endif
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  if (sem_trywait (atomic_int_semaphore (ai)) == 0)
-+    {
-+      if (sem_post (atomic_int_semaphore (ai)))
-+        abort ();
-+      return 1;
-+    }
-+  else if (errno == EAGAIN)
-+    return 0;
-+  else
-+    abort ();
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  if (new_value == 0)
-+    /* It's already initialized with 0.  */
-+    return;
-+  /* To set the value 1: */
-+  if (sem_post (atomic_int_semaphore (ai)))
-+    abort ();
-+}
-+#else
-+struct atomic_int {
-+  gl_lock_define (, lock)
-+  int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+  gl_lock_init (ai->lock);
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  gl_lock_lock (ai->lock);
-+  int ret = ai->value;
-+  gl_lock_unlock (ai->lock);
-+  return ret;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  gl_lock_lock (ai->lock);
-+  ai->value = new_value;
-+  gl_lock_unlock (ai->lock);
-+}
-+#endif
-+
- #define ACCOUNT_COUNT 4
- 
- static int account[ACCOUNT_COUNT];
-@@ -170,12 +324,12 @@ lock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int lock_checker_done;
-+static struct atomic_int lock_checker_done;
- 
- static void *
- lock_checker_thread (void *arg)
- {
--  while (!lock_checker_done)
-+  while (get_atomic_int_value (&lock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_lock_lock (my_lock);
-@@ -200,7 +354,8 @@ test_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  lock_checker_done = 0;
-+  init_atomic_int (&lock_checker_done);
-+  set_atomic_int_value (&lock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (lock_checker_thread, NULL);
-@@ -210,7 +365,7 @@ test_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  lock_checker_done = 1;
-+  set_atomic_int_value (&lock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
-@@ -254,12 +409,12 @@ rwlock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int rwlock_checker_done;
-+static struct atomic_int rwlock_checker_done;
- 
- static void *
- rwlock_checker_thread (void *arg)
- {
--  while (!rwlock_checker_done)
-+  while (get_atomic_int_value (&rwlock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check rdlock\n", gl_thread_self_pointer ());
-       gl_rwlock_rdlock (my_rwlock);
-@@ -284,7 +439,8 @@ test_rwlock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  rwlock_checker_done = 0;
-+  init_atomic_int (&rwlock_checker_done);
-+  set_atomic_int_value (&rwlock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-@@ -295,7 +451,7 @@ test_rwlock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  rwlock_checker_done = 1;
-+  set_atomic_int_value (&rwlock_checker_done, 1);
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (checkerthreads[i], NULL);
-   check_accounts ();
-@@ -356,12 +512,12 @@ reclock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int reclock_checker_done;
-+static struct atomic_int reclock_checker_done;
- 
- static void *
- reclock_checker_thread (void *arg)
- {
--  while (!reclock_checker_done)
-+  while (get_atomic_int_value (&reclock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_recursive_lock_lock (my_reclock);
-@@ -386,7 +542,8 @@ test_recursive_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  reclock_checker_done = 0;
-+  init_atomic_int (&reclock_checker_done);
-+  set_atomic_int_value (&reclock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (reclock_checker_thread, NULL);
-@@ -396,7 +553,7 @@ test_recursive_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  reclock_checker_done = 1;
-+  set_atomic_int_value (&reclock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
diff --git a/gnu/packages/patches/fontconfig-remove-debug-printf.patch b/gnu/packages/patches/fontconfig-remove-debug-printf.patch
new file mode 100644
index 0000000000..04924a45a4
--- /dev/null
+++ b/gnu/packages/patches/fontconfig-remove-debug-printf.patch
@@ -0,0 +1,18 @@
+Fontconfig 2.12.5 and 2.12.6 was released with a stray debugging statement.
+See <https://lists.freedesktop.org/archives/fontconfig/2017-October/006079.html>.
+
+Patch copied from upstream source repository:
+https://cgit.freedesktop.org/fontconfig/commit/?id=b56207a069be2574df455ede0a6ab61f44d5ca2b
+
+diff --git a/fc-query/fc-query.c b/fc-query/fc-query.c
+index 842a8b6..6cd5abd 100644
+--- a/fc-query/fc-query.c
++++ b/fc-query/fc-query.c
+@@ -170,7 +170,6 @@ main (int argc, char **argv)
+ 	    FcPattern *pat;
+ 
+ 	    id = ((instance_num << 16) + face_num);
+-	    printf("id %d\n", id);
+ 	    if (FT_New_Face (ftLibrary, argv[i], id, &face))
+ 	      break;
+ 	    num_faces = face->num_faces;
diff --git a/gnu/packages/patches/fossil-CVE-2017-17459.patch b/gnu/packages/patches/fossil-CVE-2017-17459.patch
deleted file mode 100644
index e566235b4e..0000000000
--- a/gnu/packages/patches/fossil-CVE-2017-17459.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-Fix CVE-2017-17459:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
-
-Patch copied from upstream source repository:
-
-https://www.fossil-scm.org/xfer/info/1f63db591c77108c
-
-Index: src/http_transport.c
-==================================================================
---- src/http_transport.c
-+++ src/http_transport.c
-@@ -73,10 +73,23 @@
-   if( resetFlag ){
-     transport.nSent = 0;
-     transport.nRcvd = 0;
-   }
- }
-+
-+/*
-+** Remove leading "-" characters from the input string.
-+**
-+** This prevents attacks that try to trick a victim into using
-+** a ssh:// URI with a carefully crafted hostname of other
-+** parameter that ends up being interpreted as a command-line
-+** option by "ssh".
-+*/
-+static const char *stripLeadingMinus(const char *z){
-+  while( z[0]=='-' ) z++;
-+  return z;
-+}
- 
- /*
- ** Default SSH command
- */
- #ifdef _WIN32
-@@ -116,17 +129,17 @@
-   }else{
-     zHost = mprintf("%s", pUrlData->name);
-   }
-   n = blob_size(&zCmd);
-   blob_append(&zCmd, " ", 1);
--  shell_escape(&zCmd, zHost);
-+  shell_escape(&zCmd, stripLeadingMinus(zHost));
-   blob_append(&zCmd, " ", 1);
-   shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
-   blob_append(&zCmd, " test-http", 10);
-   if( pUrlData->path && pUrlData->path[0] ){
-     blob_append(&zCmd, " ", 1);
--    shell_escape(&zCmd, mprintf("%s", pUrlData->path));
-+    shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
-   }
-   if( g.fSshTrace ){
-     fossil_print("%s\n", blob_str(&zCmd)+n);  /* Show tail of SSH command */
-   }
-   free(zHost);
-
diff --git a/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch b/gnu/packages/patches/gcc-asan-missing-include.patch
index 74b10c4a44..74b10c4a44 100644
--- a/gnu/packages/patches/gcc-asan-powerpc-missing-include.patch
+++ b/gnu/packages/patches/gcc-asan-missing-include.patch
diff --git a/gnu/packages/patches/gcc-fix-texi2pod.patch b/gnu/packages/patches/gcc-fix-texi2pod.patch
new file mode 100644
index 0000000000..28bd56a382
--- /dev/null
+++ b/gnu/packages/patches/gcc-fix-texi2pod.patch
@@ -0,0 +1,19 @@
+This patch was taken from the official GCC git repository.
+X-Git-Url: https://gcc.gnu.org/git/?p=gcc.git;a=blobdiff_plain;f=contrib%2Ftexi2pod.pl;h=91bdbb5cea933d0381f2924ab94490fca31d5800;hp=eba1bcaa3cffa78b46030b219d04fe7d68367658;hb=67b56c905078d49d3e4028085e5cb1e1fb87a8aa;hpb=2f508a78310caab123e9794d3dcfe41f2769449b
+
+It fixes a defect in the contrib/texi2pod.pl script that prevented generating
+manual pages. It was corrected in the GCC 6.X series.
+
+diff --git a/contrib/texi2pod.pl b/contrib/texi2pod.pl
+index eba1bca..91bdbb5 100755
+--- a/contrib/texi2pod.pl
++++ b/contrib/texi2pod.pl
+@@ -316,7 +316,7 @@ while(<$inf>) {
+ 	@columns = ();
+ 	for $column (split (/\s*\@tab\s*/, $1)) {
+ 	    # @strong{...} is used a @headitem work-alike
+-	    $column =~ s/^\@strong{(.*)}$/$1/;
++	    $column =~ s/^\@strong\{(.*)\}$/$1/;
+ 	    push @columns, $column;
+ 	}
+ 	$_ = "\n=item ".join (" : ", @columns)."\n";
diff --git a/gnu/packages/patches/gcc-libsanitizer-fix.patch b/gnu/packages/patches/gcc-libsanitizer-fix.patch
new file mode 100644
index 0000000000..67aa44bed4
--- /dev/null
+++ b/gnu/packages/patches/gcc-libsanitizer-fix.patch
@@ -0,0 +1,113 @@
+https://gcc.gnu.org/git/?p=gcc.git;a=patch;h=8937b94d1a643fd9760714642296d034a45254a8
+https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81066
+
+This patch can be removed when gcc-6.5.0 is released
+
+From 8937b94d1a643fd9760714642296d034a45254a8 Mon Sep 17 00:00:00 2001
+From: doko <doko@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 7 Sep 2017 07:15:24 +0000
+Subject: [PATCH] 2017-09-07  Matthias Klose  <doko@ubuntu.com>
+
+        Backported from mainline
+        2017-07-14  Jakub Jelinek  <jakub@redhat.com>
+
+        PR sanitizer/81066
+        * sanitizer_common/sanitizer_linux.h: Cherry-pick upstream r307969.
+        * sanitizer_common/sanitizer_linux.cc: Likewise.
+        * sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc: Likewise.
+        * tsan/tsan_platform_linux.cc: Likewise.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-6-branch@251828 138bc75d-0d04-0410-961f-82ee72b054a4
+---
+ libsanitizer/ChangeLog                                        | 11 +++++++++++
+ libsanitizer/sanitizer_common/sanitizer_linux.cc              |  3 +--
+ libsanitizer/sanitizer_common/sanitizer_linux.h               |  4 +---
+ .../sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc  |  2 +-
+ libsanitizer/tsan/tsan_platform_linux.cc                      |  2 +-
+ 5 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/libsanitizer/ChangeLog b/libsanitizer/ChangeLog
+index 252cd09..d988b28 100644
+--- a/libsanitizer/ChangeLog
++++ b/libsanitizer/ChangeLog
+@@ -1,3 +1,14 @@
++2017-09-07  Matthias Klose  <doko@ubuntu.com>
++
++	Backported from mainline
++	2017-07-14  Jakub Jelinek  <jakub@redhat.com>
++
++	PR sanitizer/81066
++	* sanitizer_common/sanitizer_linux.h: Cherry-pick upstream r307969.
++	* sanitizer_common/sanitizer_linux.cc: Likewise.
++	* sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc: Likewise.
++	* tsan/tsan_platform_linux.cc: Likewise.
++
+ 2017-07-04  Release Manager
+ 
+ 	* GCC 6.4.0 released.
+diff --git a/libsanitizer/sanitizer_common/sanitizer_linux.cc b/libsanitizer/sanitizer_common/sanitizer_linux.cc
+index 2cefa20..223d9c6 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_linux.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_linux.cc
+@@ -546,8 +546,7 @@ uptr internal_prctl(int option, uptr arg2, uptr arg3, uptr arg4, uptr arg5) {
+ }
+ #endif
+ 
+-uptr internal_sigaltstack(const struct sigaltstack *ss,
+-                         struct sigaltstack *oss) {
++uptr internal_sigaltstack(const void *ss, void *oss) {
+   return internal_syscall(SYSCALL(sigaltstack), (uptr)ss, (uptr)oss);
+ }
+ 
+diff --git a/libsanitizer/sanitizer_common/sanitizer_linux.h b/libsanitizer/sanitizer_common/sanitizer_linux.h
+index 4497702..1594058 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_linux.h
++++ b/libsanitizer/sanitizer_common/sanitizer_linux.h
+@@ -19,7 +19,6 @@
+ #include "sanitizer_platform_limits_posix.h"
+ 
+ struct link_map;  // Opaque type returned by dlopen().
+-struct sigaltstack;
+ 
+ namespace __sanitizer {
+ // Dirent structure for getdents(). Note that this structure is different from
+@@ -28,8 +27,7 @@ struct linux_dirent;
+ 
+ // Syscall wrappers.
+ uptr internal_getdents(fd_t fd, struct linux_dirent *dirp, unsigned int count);
+-uptr internal_sigaltstack(const struct sigaltstack* ss,
+-                          struct sigaltstack* oss);
++uptr internal_sigaltstack(const void* ss, void* oss);
+ uptr internal_sigprocmask(int how, __sanitizer_sigset_t *set,
+     __sanitizer_sigset_t *oldset);
+ void internal_sigfillset(__sanitizer_sigset_t *set);
+diff --git a/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc b/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+index c919e4f..014162af 100644
+--- a/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
++++ b/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cc
+@@ -267,7 +267,7 @@ static int TracerThread(void* argument) {
+ 
+   // Alternate stack for signal handling.
+   InternalScopedBuffer<char> handler_stack_memory(kHandlerStackSize);
+-  struct sigaltstack handler_stack;
++  stack_t handler_stack;
+   internal_memset(&handler_stack, 0, sizeof(handler_stack));
+   handler_stack.ss_sp = handler_stack_memory.data();
+   handler_stack.ss_size = kHandlerStackSize;
+diff --git a/libsanitizer/tsan/tsan_platform_linux.cc b/libsanitizer/tsan/tsan_platform_linux.cc
+index 09cec5f..908f4fe 100644
+--- a/libsanitizer/tsan/tsan_platform_linux.cc
++++ b/libsanitizer/tsan/tsan_platform_linux.cc
+@@ -291,7 +291,7 @@ bool IsGlobalVar(uptr addr) {
+ int ExtractResolvFDs(void *state, int *fds, int nfd) {
+ #if SANITIZER_LINUX
+   int cnt = 0;
+-  __res_state *statp = (__res_state*)state;
++  struct __res_state *statp = (struct __res_state*)state;
+   for (int i = 0; i < MAXNS && cnt < nfd; i++) {
+     if (statp->_u._ext.nsaddrs[i] && statp->_u._ext.nssocks[i] != -1)
+       fds[cnt++] = statp->_u._ext.nssocks[i];
+-- 
+2.9.3
+
diff --git a/gnu/packages/patches/gettext-gnulib-multi-core.patch b/gnu/packages/patches/gettext-gnulib-multi-core.patch
deleted file mode 100644
index 5ccdbe4ca1..0000000000
--- a/gnu/packages/patches/gettext-gnulib-multi-core.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-This patch fixes performance problems on multi-core machines
-as reported at <https://bugs.gnu.org/26441>.
-
-See commit 480d374e596a0ee3fed168ab42cd84c313ad3c89 in Gnulib
-by Bruno Haible <bruno@clisp.org>.
-
-diff --git a/gettext-tools/gnulib-tests/test-lock.c b/gettext-tools/gnulib-tests/test-lock.c
-index cb734b4e6..aa6de2739 100644
---- a/gettext-tools/gnulib-tests/test-lock.c
-+++ b/gettext-tools/gnulib-tests/test-lock.c
-@@ -50,6 +50,13 @@
-    Uncomment this to see if the operating system has a fair scheduler.  */
- #define EXPLICIT_YIELD 1
- 
-+/* Whether to use 'volatile' on some variables that communicate information
-+   between threads.  If set to 0, a lock is used to protect these variables.
-+   If set to 1, 'volatile' is used; this is theoretically equivalent but can
-+   lead to much slower execution (e.g. 30x slower total run time on a 40-core
-+   machine.  */
-+#define USE_VOLATILE 0
-+
- /* Whether to print debugging messages.  */
- #define ENABLE_DEBUGGING 0
- 
-@@ -103,6 +110,51 @@
- # define yield()
- #endif
- 
-+#if USE_VOLATILE
-+struct atomic_int {
-+  volatile int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  return ai->value;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  ai->value = new_value;
-+}
-+#else
-+struct atomic_int {
-+  gl_lock_define (, lock)
-+  int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+  gl_lock_init (ai->lock);
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  gl_lock_lock (ai->lock);
-+  int ret = ai->value;
-+  gl_lock_unlock (ai->lock);
-+  return ret;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  gl_lock_lock (ai->lock);
-+  ai->value = new_value;
-+  gl_lock_unlock (ai->lock);
-+}
-+#endif
-+
- #define ACCOUNT_COUNT 4
- 
- static int account[ACCOUNT_COUNT];
-@@ -170,12 +222,12 @@ lock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int lock_checker_done;
-+static struct atomic_int lock_checker_done;
- 
- static void *
- lock_checker_thread (void *arg)
- {
--  while (!lock_checker_done)
-+  while (get_atomic_int_value (&lock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_lock_lock (my_lock);
-@@ -200,7 +252,8 @@ test_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  lock_checker_done = 0;
-+  init_atomic_int (&lock_checker_done);
-+  set_atomic_int_value (&lock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (lock_checker_thread, NULL);
-@@ -210,7 +263,7 @@ test_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  lock_checker_done = 1;
-+  set_atomic_int_value (&lock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
-@@ -254,12 +307,12 @@ rwlock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int rwlock_checker_done;
-+static struct atomic_int rwlock_checker_done;
- 
- static void *
- rwlock_checker_thread (void *arg)
- {
--  while (!rwlock_checker_done)
-+  while (get_atomic_int_value (&rwlock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check rdlock\n", gl_thread_self_pointer ());
-       gl_rwlock_rdlock (my_rwlock);
-@@ -284,7 +337,8 @@ test_rwlock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  rwlock_checker_done = 0;
-+  init_atomic_int (&rwlock_checker_done);
-+  set_atomic_int_value (&rwlock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-@@ -295,7 +349,7 @@ test_rwlock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  rwlock_checker_done = 1;
-+  set_atomic_int_value (&rwlock_checker_done, 1);
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (checkerthreads[i], NULL);
-   check_accounts ();
-@@ -356,12 +410,12 @@ reclock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int reclock_checker_done;
-+static struct atomic_int reclock_checker_done;
- 
- static void *
- reclock_checker_thread (void *arg)
- {
--  while (!reclock_checker_done)
-+  while (get_atomic_int_value (&reclock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_recursive_lock_lock (my_reclock);
-@@ -386,7 +440,8 @@ test_recursive_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  reclock_checker_done = 0;
-+  init_atomic_int (&reclock_checker_done);
-+  set_atomic_int_value (&reclock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (reclock_checker_thread, NULL);
-@@ -396,7 +451,7 @@ test_recursive_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  reclock_checker_done = 1;
-+  set_atomic_int_value (&reclock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
diff --git a/gnu/packages/patches/gettext-multi-core.patch b/gnu/packages/patches/gettext-multi-core.patch
deleted file mode 100644
index 31a378cfd0..0000000000
--- a/gnu/packages/patches/gettext-multi-core.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-This patch fixes performance problems on multi-core machines
-as reported at <https://bugs.gnu.org/26441>.
-
-See commit 1afbcb06fded2a427b761dd1615b1e48e1e853cc in Gettext
-by Bruno Haible <bruno@clisp.org>.
-
-diff --git a/gettext-runtime/tests/test-lock.c b/gettext-runtime/tests/test-lock.c
-index d279d1d60..51cec3d6b 100644
---- a/gettext-runtime/tests/test-lock.c
-+++ b/gettext-runtime/tests/test-lock.c
-@@ -1,5 +1,5 @@
- /* Test of locking in multithreaded situations.
--   Copyright (C) 2005, 2008-2016 Free Software Foundation, Inc.
-+   Copyright (C) 2005, 2008-2017 Free Software Foundation, Inc.
- 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Lesser General Public License as published by
-@@ -50,6 +50,13 @@
-    Uncomment this to see if the operating system has a fair scheduler.  */
- #define EXPLICIT_YIELD 1
- 
-+/* Whether to use 'volatile' on some variables that communicate information
-+   between threads.  If set to 0, a lock is used to protect these variables.
-+   If set to 1, 'volatile' is used; this is theoretically equivalent but can
-+   lead to much slower execution (e.g. 30x slower total run time on a 40-core
-+   machine.  */
-+#define USE_VOLATILE 0
-+
- /* Whether to print debugging messages.  */
- #define ENABLE_DEBUGGING 0
- 
-@@ -214,6 +221,51 @@ static inline void * gl_thread_self_pointer (void)
- # define yield()
- #endif
- 
-+#if USE_VOLATILE
-+struct atomic_int {
-+  volatile int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  return ai->value;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  ai->value = new_value;
-+}
-+#else
-+struct atomic_int {
-+  gl_lock_define (, lock)
-+  int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+  gl_lock_init (ai->lock);
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  gl_lock_lock (ai->lock);
-+  int ret = ai->value;
-+  gl_lock_unlock (ai->lock);
-+  return ret;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  gl_lock_lock (ai->lock);
-+  ai->value = new_value;
-+  gl_lock_unlock (ai->lock);
-+}
-+#endif
-+
- #define ACCOUNT_COUNT 4
- 
- static int account[ACCOUNT_COUNT];
-@@ -281,12 +333,12 @@ lock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int lock_checker_done;
-+static struct atomic_int lock_checker_done;
- 
- static void *
- lock_checker_thread (void *arg)
- {
--  while (!lock_checker_done)
-+  while (get_atomic_int_value (&lock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_lock_lock (my_lock);
-@@ -311,7 +363,8 @@ test_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  lock_checker_done = 0;
-+  init_atomic_int (&lock_checker_done);
-+  set_atomic_int_value (&lock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (lock_checker_thread, NULL);
-@@ -321,7 +374,7 @@ test_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  lock_checker_done = 1;
-+  set_atomic_int_value (&lock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
-@@ -365,12 +418,12 @@ rwlock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int rwlock_checker_done;
-+static struct atomic_int rwlock_checker_done;
- 
- static void *
- rwlock_checker_thread (void *arg)
- {
--  while (!rwlock_checker_done)
-+  while (get_atomic_int_value (&rwlock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check rdlock\n", gl_thread_self_pointer ());
-       gl_rwlock_rdlock (my_rwlock);
-@@ -395,7 +448,8 @@ test_rwlock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  rwlock_checker_done = 0;
-+  init_atomic_int (&rwlock_checker_done);
-+  set_atomic_int_value (&rwlock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-@@ -406,7 +460,7 @@ test_rwlock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  rwlock_checker_done = 1;
-+  set_atomic_int_value (&rwlock_checker_done, 1);
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (checkerthreads[i], NULL);
-   check_accounts ();
-@@ -467,12 +521,12 @@ reclock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int reclock_checker_done;
-+static struct atomic_int reclock_checker_done;
- 
- static void *
- reclock_checker_thread (void *arg)
- {
--  while (!reclock_checker_done)
-+  while (get_atomic_int_value (&reclock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_recursive_lock_lock (my_reclock);
-@@ -497,7 +551,8 @@ test_recursive_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  reclock_checker_done = 0;
-+  init_atomic_int (&reclock_checker_done);
-+  set_atomic_int_value (&reclock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (reclock_checker_thread, NULL);
-@@ -507,7 +562,7 @@ test_recursive_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  reclock_checker_done = 1;
-+  set_atomic_int_value (&reclock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
diff --git a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch b/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
deleted file mode 100644
index d38bd593c0..0000000000
--- a/gnu/packages/patches/ghostscript-CVE-2017-8291.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-Fix CVE-2017-8291:
-
-https://bugs.ghostscript.com/show_bug.cgi?id=697799
-https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291
-
-Patches copied from upstream source repository:
-
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=04b37bbce174eed24edec7ad5b920eb93db4d47d
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e
-https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad
-
-From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:03:33 +0100
-Subject: [PATCH] Bug 697799: have .eqproc check its parameters
-
-The Ghostscript custom operator .eqproc was not check the number or type of
-the parameters it was given.
----
- psi/zmisc3.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 54b304246..37293ff4b 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
-     ref2_t stack[MAX_DEPTH + 1];
-     ref2_t *top = stack;
- 
-+    if (ref_stack_count(&o_stack) < 2)
-+        return_error(gs_error_stackunderflow);
-+    if (!r_is_array(op - 1) || !r_is_array(op)) {
-+        return_error(gs_error_typecheck);
-+    }
-+
-     make_array(&stack[0].proc1, 0, 1, op - 1);
-     make_array(&stack[0].proc2, 0, 1, op);
-     for (;;) {
--- 
-2.13.0
-
-From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 27 Apr 2017 13:21:31 +0100
-Subject: [PATCH] Bug 697799: have .rsdparams check its parameters
-
-The Ghostscript internal operator .rsdparams wasn't checking the number or
-type of the operands it was being passed. Do so.
----
- psi/zfrsd.c | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 191107d8a..950588d69 100644
---- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
-     ref *pFilter;
-     ref *pDecodeParms;
-     int Intent = 0;
--    bool AsyncRead;
-+    bool AsyncRead = false;
-     ref empty_array, filter1_array, parms1_array;
-     uint i;
--    int code;
-+    int code = 0;
-+
-+    if (ref_stack_count(&o_stack) < 1)
-+        return_error(gs_error_stackunderflow);
-+    if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
-+        return_error(gs_error_typecheck);
-+    }
- 
-     make_empty_array(&empty_array, a_readonly);
--    if (dict_find_string(op, "Filter", &pFilter) > 0) {
-+    if (r_has_type(op, t_dictionary)
-+        && dict_find_string(op, "Filter", &pFilter) > 0) {
-         if (!r_is_array(pFilter)) {
-             if (!r_has_type(pFilter, t_name))
-                 return_error(gs_error_typecheck);
-@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
-                 return_error(gs_error_typecheck);
-         }
-     }
--    code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-+    if (r_has_type(op, t_dictionary))
-+        code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
-     if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
-         return code;
--    if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
--        )
--        return code;
-+    if (r_has_type(op, t_dictionary))
-+        if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
-+            return code;
-     push(1);
-     op[-1] = *pFilter;
-     if (pDecodeParms)
--- 
-2.13.0
-
-From 57f20719e1cfaea77b67cb26e26de7fe4d7f9b2e Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Wed, 3 May 2017 12:05:45 +0100
-Subject: [PATCH] Bug 697846: revision to commit 4f83478c88 (.eqproc)
-
-When using the "DELAYBIND" feature, it turns out that .eqproc can be called with
-parameters that are not both procedures. In this case, it turns out, the
-expectation is for the operator to return 'false', rather than throw an error.
----
- psi/zmisc3.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 37293ff4b..3f01d39a3 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -38,6 +38,15 @@ zcliprestore(i_ctx_t *i_ctx_p)
-     return gs_cliprestore(igs);
- }
- 
-+static inline bool
-+eqproc_check_type(ref *r)
-+{
-+    return r_has_type(r, t_array)
-+           || r_has_type(r, t_mixedarray)
-+           || r_has_type(r, t_shortarray)
-+           || r_has_type(r, t_oparray);
-+}
-+
- /* <proc1> <proc2> .eqproc <bool> */
- /*
-  * Test whether two procedures are equal to depth 10.
-@@ -58,8 +67,10 @@ zeqproc(i_ctx_t *i_ctx_p)
- 
-     if (ref_stack_count(&o_stack) < 2)
-         return_error(gs_error_stackunderflow);
--    if (!r_is_array(op - 1) || !r_is_array(op)) {
--        return_error(gs_error_typecheck);
-+    if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
-+        make_false(op - 1);
-+        pop(1);
-+        return 0;
-     }
- 
-     make_array(&stack[0].proc1, 0, 1, op - 1);
--- 
-2.13.0
-
-From ccfd2c75ac9be4cbd369e4cbdd40ba11a0c7bdad Mon Sep 17 00:00:00 2001
-From: Chris Liddell <chris.liddell@artifex.com>
-Date: Thu, 11 May 2017 14:07:48 +0100
-Subject: [PATCH] Bug 697892: fix check for op stack underflow.
-
-In the original fix, I used the wrong method to check for stack underflow, this
-is using the correct method.
----
- psi/zfrsd.c  | 3 +--
- psi/zmisc3.c | 3 +--
- 2 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/psi/zfrsd.c b/psi/zfrsd.c
-index 950588d69..9c035b96d 100644
---- a/psi/zfrsd.c
-+++ b/psi/zfrsd.c
-@@ -54,8 +54,7 @@ zrsdparams(i_ctx_t *i_ctx_p)
-     uint i;
-     int code = 0;
- 
--    if (ref_stack_count(&o_stack) < 1)
--        return_error(gs_error_stackunderflow);
-+    check_op(1);
-     if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
-         return_error(gs_error_typecheck);
-     }
-diff --git a/psi/zmisc3.c b/psi/zmisc3.c
-index 3f01d39a3..43803b55b 100644
---- a/psi/zmisc3.c
-+++ b/psi/zmisc3.c
-@@ -65,8 +65,7 @@ zeqproc(i_ctx_t *i_ctx_p)
-     ref2_t stack[MAX_DEPTH + 1];
-     ref2_t *top = stack;
- 
--    if (ref_stack_count(&o_stack) < 2)
--        return_error(gs_error_stackunderflow);
-+    check_op(2);
-     if (!eqproc_check_type(op -1) || !eqproc_check_type(op)) {
-         make_false(op - 1);
-         pop(1);
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/glib-respect-datadir.patch b/gnu/packages/patches/glib-respect-datadir.patch
new file mode 100644
index 0000000000..309ce9fc0b
--- /dev/null
+++ b/gnu/packages/patches/glib-respect-datadir.patch
@@ -0,0 +1,21 @@
+On Guix, Python modules are in a different output from the executables,
+so searching "../share/glib-2.0" will not work.
+
+This patch restores behaviour prior to this commit:
+<https://git.gnome.org/browse/glib/commit/?id=fe2a9887a8ccb14f2386e01b14834e97a33bc2d7>
+
+--- a/gio/gdbus-2.0/codegen/gdbus-codegen.in
++++ b/gio/gdbus-2.0/codegen/gdbus-codegen.in
+@@ -25,9 +25,12 @@
+ 
+ srcdir = os.getenv('UNINSTALLED_GLIB_SRCDIR', None)
+ filedir = os.path.dirname(__file__)
++datadir = os.path.join('@datadir@', 'glib-2.0')
+ 
+ if srcdir is not None:
+     path = os.path.join(srcdir, 'gio', 'gdbus-2.0')
++elif os.path.exists(os.path.join(datadir, 'codegen')):
++    path = datadir
+ elif os.path.basename(filedir) == 'bin':
+     # Make the prefix containing gdbus-codegen 'relocatable' at runtime by
+     # adding /some/prefix/bin/../share/glib-2.0 to the python path
diff --git a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch b/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
deleted file mode 100644
index 76d688c517..0000000000
--- a/gnu/packages/patches/glibc-CVE-2017-15670-15671.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix CVE-2017-15670:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670
-https://sourceware.org/bugzilla/show_bug.cgi?id=22320
-https://bugzilla.redhat.com/show_bug.cgi?id=1504804
-
-And CVE-2017-15671:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15671
-https://sourceware.org/bugzilla/show_bug.cgi?id=22325
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15671
-
-Copied from upstream:
-<https://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=2d1bd71ec70a31b01d01b734faa66bb1ed28961f>
-
-diff --git a/posix/glob.c b/posix/glob.c
---- a/posix/glob.c
-+++ b/posix/glob.c
-@@ -843,7 +843,7 @@
- 		  *p = '\0';
- 		}
- 	      else
--		*((char *) mempcpy (newp, dirname + 1, end_name - dirname))
-+		*((char *) mempcpy (newp, dirname + 1, end_name - dirname - 1))
- 		  = '\0';
- 	      user_name = newp;
- 	    }
diff --git a/gnu/packages/patches/gpm-glibc-2.26.patch b/gnu/packages/patches/gpm-glibc-2.26.patch
new file mode 100644
index 0000000000..6caf7a01e0
--- /dev/null
+++ b/gnu/packages/patches/gpm-glibc-2.26.patch
@@ -0,0 +1,50 @@
+Fix building of GPM with glibc 2.26:
+
+https://bugs.gentoo.org/629774
+
+Patches copied from Gentoo:
+
+https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/gpm/files/gpm-1.20.7-glibc-2.26.patch?id=1618968c56caf7f8c08823908d88dc49bb8f7649
+https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-libs/gpm/files/gpm-1.20.7-sysmacros.patch?id=1618968c56caf7f8c08823908d88dc49bb8f7649
+
+--- a/src/prog/gpm-root.y	2012-10-26 17:21:38.000000000 -0400
++++ b/src/prog/gpm-root.y	2017-09-07 20:39:51.933264063 -0400
+@@ -1197,7 +1197,7 @@
+    /* reap your zombies */
+    childaction.sa_handler=reap_children;
+ #if defined(__GLIBC__)
+-   __sigemptyset(&childaction.sa_mask);
++   sigemptyset(&childaction.sa_mask);
+ #else /* __GLIBC__ */
+    childaction.sa_mask=0;
+ #endif /* __GLIBC__ */
+From b350aee4ea5785a75cb6ad770f6b768c506ebb70 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Mon, 14 Mar 2016 15:39:54 -0400
+Subject: [PATCH] fix building w/newer glibc
+
+Linux C libraries are looking to disentangle sysmacros.h from the
+sys/types.h include, so make sure we pull in the header when it is
+found.
+---
+ src/daemon/open_console.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/daemon/open_console.c b/src/daemon/open_console.c
+index 4d6c0af..6dd43e6 100644
+--- a/src/daemon/open_console.c
++++ b/src/daemon/open_console.c
+@@ -24,6 +24,10 @@
+ #include <sys/types.h>              /* major()           */
+ #include <sys/ioctl.h>              /* ioctl             */
+ 
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>          /* major() w/newer glibc */
++#endif
++
+ /* Linux specific (to be outsourced in gpm2 */
+ #include <linux/serial.h>           /* for serial console check */
+ #include <asm/ioctls.h>            /* for serial console check */
+-- 
+2.6.2
+
diff --git a/gnu/packages/patches/grep-gnulib-lock.patch b/gnu/packages/patches/grep-gnulib-lock.patch
deleted file mode 100644
index 68c33f1031..0000000000
--- a/gnu/packages/patches/grep-gnulib-lock.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-This patch fix error on 'gnulib' library required to build
-'grep' package on GNU/Hurd.
-The patch was adapted from upstream source repository:
-'<http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=4084b3a1094372b960ce4a97634e08f4538c8bdd>'
-
-Commit: 4084b3a1094372b960ce4a97634e08f4538c8bdd
-
-diff --git a/lib/glthread/lock.c b/lib/glthread/lock.c
-index 061562b..afc86f4 100644
---- a/lib/glthread/lock.c
-+++ b/lib/glthread/lock.c
-@@ -30,7 +30,7 @@
- 
- /* ------------------------- gl_rwlock_t datatype ------------------------- */
- 
--# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (__GNU_LIBRARY__ > 1))
-+# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (defined PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP && (__GNU_LIBRARY__ > 1)))
- 
- #  ifdef PTHREAD_RWLOCK_INITIALIZER
- 
-diff --git a/lib/glthread/lock.h b/lib/glthread/lock.h
-index ec16d39..67932aa 100644
---- a/lib/glthread/lock.h
-+++ b/lib/glthread/lock.h
-@@ -179,7 +179,7 @@ typedef pthread_mutex_t gl_lock_t;
- 
- /* ------------------------- gl_rwlock_t datatype ------------------------- */
- 
--# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (__GNU_LIBRARY__ > 1))
-+# if HAVE_PTHREAD_RWLOCK && (HAVE_PTHREAD_RWLOCK_RDLOCK_PREFER_WRITER || (defined PTHREAD_RWLOCK_WRITER_NONRECURSIVE_INITIALIZER_NP && (__GNU_LIBRARY__ > 1)))
- 
- #  ifdef PTHREAD_RWLOCK_INITIALIZER
diff --git a/gnu/packages/patches/gtk2-fix-failing-test.patch b/gnu/packages/patches/gtk2-fix-failing-test.patch
new file mode 100644
index 0000000000..721dc012c7
--- /dev/null
+++ b/gnu/packages/patches/gtk2-fix-failing-test.patch
@@ -0,0 +1,39 @@
+From 12d8b4e8f2f9c9a7707d1d3fccba382732212e3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=A1bor=20Boskovits?= <boskovits@gmail.com>
+Date: Tue, 5 Dec 2017 20:06:36 +0100
+Subject: [PATCH] Fix test failing on new GLib versions.
+
+This test fails on newer GLib version, because GLib exports a new public marshaller.
+The additional symbol making the test fail is:
+g_cclosure_marshal_BOOLEAN__BOXED_BOXED
+
+The fix makes the test ignore non-gtk related abi.
+This ensures if future marshallers are added to glib those will not pose a problem.
+
+The fix also ensures that the test still checks the gtk abi for identity, and
+that the library provides a superset of the required abi.
+
+Upstream reponse to this problem was:
+
+GLib added a new marshaller in its public API
+And the `abicheck.sh`in GTK+ 2.24 hasn't been updated because GTK+ 2.24 is in deep
+maintenance mode and very few people test it against newer versions of GLib
+
+---
+ gtk/abicheck.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gtk/abicheck.sh b/gtk/abicheck.sh
+index 0d033fb..53b7bfe 100755
+--- a/gtk/abicheck.sh
++++ b/gtk/abicheck.sh
+@@ -1,5 +1,5 @@
+ #! /bin/sh
+ 
+ cpp -DINCLUDE_VARIABLES -P -DG_OS_UNIX -DGTK_WINDOWING_X11 -DALL_FILES ${srcdir:-.}/gtk.symbols | sed -e '/^$/d' -e 's/ G_GNUC.*$//' -e 's/ PRIVATE//' | sort > expected-abi
+-nm -D -g --defined-only .libs/libgtk-x11-2.0.so | cut -d ' ' -f 3 | egrep -v '^(__bss_start|_edata|_end)' | sort > actual-abi
++nm -D -g --defined-only .libs/libgtk-x11-2.0.so | cut -d ' ' -f 3 | egrep -v '^(__bss_start|_edata|_end)' | egrep '^gtk_' | sort > actual-abi
+ diff -u expected-abi actual-abi && rm -f expected-abi actual-abi
+-- 
+2.15.0
+
diff --git a/gnu/packages/patches/icecat-glibc-2.26.patch b/gnu/packages/patches/icecat-glibc-2.26.patch
new file mode 100644
index 0000000000..45ebd5f700
--- /dev/null
+++ b/gnu/packages/patches/icecat-glibc-2.26.patch
@@ -0,0 +1,261 @@
+Fix compilation with glibc 2.26. Patch found
+at <https://aur.archlinux.org/cgit/aur.git/plain/glibc-2.26-fix.diff?h=firefox-esr>,
+adjusted so that file names match.
+
+From 6a0b7c8ecf0734ba1bcdccf8e0ee97e721fd5420 Mon Sep 17 00:00:00 2001
+Message-Id: <6a0b7c8ecf0734ba1bcdccf8e0ee97e721fd5420.1505113337.git.jan.steffens@gmail.com>
+From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
+Date: Sat, 19 Aug 2017 20:14:25 +0200
+Subject: [PATCH] Fix use of struct ucontext (squash 2 commits)
+
+Needed for building with glibc 2.26.
+
+Bug 1385667: Use ucontext_t consistently in breakpad-client. r=ted
+MozReview-Commit-ID: AJhzJdNXP0f
+
+Bug 1394149: Fix remaining uses of ucontext in breakpad-client. r=ted
+MozReview-Commit-ID: 5tP7fXsI7dQ
+---
+ .../linux/dump_writer_common/ucontext_reader.cc    | 30 +++++++++++-----------
+ .../linux/dump_writer_common/ucontext_reader.h     | 10 ++++----
+ .../linux/handler/exception_handler.cc             | 10 ++++----
+ .../linux/handler/exception_handler.h              |  2 +-
+ .../linux/microdump_writer/microdump_writer.cc     |  2 +-
+ .../linux/minidump_writer/minidump_writer.cc       |  2 +-
+ 6 files changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
+index 999960912e459e1b..303c0ebd32b663c4 100644
+--- a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
++++ b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
+@@ -40,15 +40,15 @@ namespace google_breakpad {
+ 
+ #if defined(__i386__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_ESP];
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_EIP];
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                                     const struct _libc_fpstate* fp) {
+   const greg_t* regs = uc->uc_mcontext.gregs;
+ 
+@@ -88,15 +88,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
+ 
+ #elif defined(__x86_64)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_RSP];
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_RIP];
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                                     const struct _libc_fpstate* fpregs) {
+   const greg_t* regs = uc->uc_mcontext.gregs;
+ 
+@@ -145,15 +145,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
+ 
+ #elif defined(__ARM_EABI__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.arm_sp;
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.arm_pc;
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) {
+   out->context_flags = MD_CONTEXT_ARM_FULL;
+ 
+   out->iregs[0] = uc->uc_mcontext.arm_r0;
+@@ -184,41 +184,41 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
+ 
+ #elif defined(__aarch64__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.sp;
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.pc;
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                                     const struct fpsimd_context* fpregs) {
+   out->context_flags = MD_CONTEXT_ARM64_FULL;
+ 
+   out->cpsr = static_cast<uint32_t>(uc->uc_mcontext.pstate);
+   for (int i = 0; i < MD_CONTEXT_ARM64_REG_SP; ++i)
+     out->iregs[i] = uc->uc_mcontext.regs[i];
+   out->iregs[MD_CONTEXT_ARM64_REG_SP] = uc->uc_mcontext.sp;
+   out->iregs[MD_CONTEXT_ARM64_REG_PC] = uc->uc_mcontext.pc;
+ 
+   out->float_save.fpsr = fpregs->fpsr;
+   out->float_save.fpcr = fpregs->fpcr;
+   my_memcpy(&out->float_save.regs, &fpregs->vregs,
+       MD_FLOATINGSAVEAREA_ARM64_FPR_COUNT * 16);
+ }
+ 
+ #elif defined(__mips__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[MD_CONTEXT_MIPS_REG_SP];
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.pc;
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) {
+ #if _MIPS_SIM == _ABI64
+   out->context_flags = MD_CONTEXT_MIPS64_FULL;
+ #elif _MIPS_SIM == _ABIO32
+diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
+index c533e28ba7441e83..039752a2dfb6e589 100644
+--- a/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
++++ b/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
+@@ -41,21 +41,21 @@ namespace google_breakpad {
+ 
+ // Wraps platform-dependent implementations of accessors to ucontext structs.
+ struct UContextReader {
+-  static uintptr_t GetStackPointer(const struct ucontext* uc);
++  static uintptr_t GetStackPointer(const ucontext_t* uc);
+ 
+-  static uintptr_t GetInstructionPointer(const struct ucontext* uc);
++  static uintptr_t GetInstructionPointer(const ucontext_t* uc);
+ 
+   // Juggle a arch-specific ucontext into a minidump format
+   //   out: the minidump structure
+   //   info: the collection of register structures.
+ #if defined(__i386__) || defined(__x86_64)
+-  static void FillCPUContext(RawContextCPU *out, const ucontext *uc,
++  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                              const struct _libc_fpstate* fp);
+ #elif defined(__aarch64__)
+-  static void FillCPUContext(RawContextCPU *out, const ucontext *uc,
++  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                              const struct fpsimd_context* fpregs);
+ #else
+-  static void FillCPUContext(RawContextCPU *out, const ucontext *uc);
++  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc);
+ #endif
+ };
+ 
+diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc
+index 71a51a763938e39d..12df9bc96ec45fea 100644
+--- a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc
++++ b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc
+@@ -439,44 +439,44 @@ bool ExceptionHandler::HandleSignal(int sig, siginfo_t* info, void* uc) {
+   // Fill in all the holes in the struct to make Valgrind happy.
+   memset(&g_crash_context_, 0, sizeof(g_crash_context_));
+   memcpy(&g_crash_context_.siginfo, info, sizeof(siginfo_t));
+-  memcpy(&g_crash_context_.context, uc, sizeof(struct ucontext));
++  memcpy(&g_crash_context_.context, uc, sizeof(ucontext_t));
+ #if defined(__aarch64__)
+-  struct ucontext* uc_ptr = (struct ucontext*)uc;
++  ucontext_t* uc_ptr = (ucontext_t*)uc;
+   struct fpsimd_context* fp_ptr =
+       (struct fpsimd_context*)&uc_ptr->uc_mcontext.__reserved;
+   if (fp_ptr->head.magic == FPSIMD_MAGIC) {
+     memcpy(&g_crash_context_.float_state, fp_ptr,
+            sizeof(g_crash_context_.float_state));
+   }
+ #elif !defined(__ARM_EABI__) && !defined(__mips__)
+   // FP state is not part of user ABI on ARM Linux.
+-  // In case of MIPS Linux FP state is already part of struct ucontext
++  // In case of MIPS Linux FP state is already part of ucontext_t
+   // and 'float_state' is not a member of CrashContext.
+-  struct ucontext* uc_ptr = (struct ucontext*)uc;
++  ucontext_t* uc_ptr = (ucontext_t*)uc;
+   if (uc_ptr->uc_mcontext.fpregs) {
+     memcpy(&g_crash_context_.float_state, uc_ptr->uc_mcontext.fpregs,
+            sizeof(g_crash_context_.float_state));
+   }
+ #endif
+   g_crash_context_.tid = syscall(__NR_gettid);
+   if (crash_handler_ != NULL) {
+     if (crash_handler_(&g_crash_context_, sizeof(g_crash_context_),
+                        callback_context_)) {
+       return true;
+     }
+   }
+   return GenerateDump(&g_crash_context_);
+ }
+ 
+ // This is a public interface to HandleSignal that allows the client to
+ // generate a crash dump. This function may run in a compromised context.
+ bool ExceptionHandler::SimulateSignalDelivery(int sig) {
+   siginfo_t siginfo = {};
+   // Mimic a trusted signal to allow tracing the process (see
+   // ExceptionHandler::HandleSignal().
+   siginfo.si_code = SI_USER;
+   siginfo.si_pid = getpid();
+-  struct ucontext context;
++  ucontext_t context;
+   getcontext(&context);
+   return HandleSignal(sig, &siginfo, &context);
+ }
+diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h
+index 711586fec7ddae59..be1880170e2826b0 100644
+--- a/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h
++++ b/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h
+@@ -191,7 +191,7 @@ class ExceptionHandler {
+   struct CrashContext {
+     siginfo_t siginfo;
+     pid_t tid;  // the crashing thread.
+-    struct ucontext context;
++    ucontext_t context;
+ #if !defined(__ARM_EABI__) && !defined(__mips__)
+     // #ifdef this out because FP state is not part of user ABI for Linux ARM.
+     // In case of MIPS Linux FP state is already part of struct
+diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc
+index ff20bf36584c876b..a0b90e08fc5f0cff 100644
+--- a/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc
++++ b/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc
+@@ -571,7 +571,7 @@ class MicrodumpWriter {
+ 
+   void* Alloc(unsigned bytes) { return dumper_->allocator()->Alloc(bytes); }
+ 
+-  const struct ucontext* const ucontext_;
++  const ucontext_t* const ucontext_;
+ #if !defined(__ARM_EABI__) && !defined(__mips__)
+   const google_breakpad::fpstate_t* const float_state_;
+ #endif
+diff --git a/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc b/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc
+index 0650bb95c179464a..6b5304bcd605ca3a 100644
+--- a/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc
++++ b/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc
+@@ -1247,7 +1247,7 @@ class MinidumpWriter {
+   const int fd_;  // File descriptor where the minidum should be written.
+   const char* path_;  // Path to the file where the minidum should be written.
+ 
+-  const struct ucontext* const ucontext_;  // also from the signal handler
++  const ucontext_t* const ucontext_;  // also from the signal handler
+ #if !defined(__ARM_EABI__) && !defined(__mips__)
+   const google_breakpad::fpstate_t* const float_state_;  // ditto
+ #endif
+-- 
+2.14.1
diff --git a/gnu/packages/patches/icu4c-CVE-2017-14952.patch b/gnu/packages/patches/icu4c-CVE-2017-14952.patch
deleted file mode 100644
index 564f69d01d..0000000000
--- a/gnu/packages/patches/icu4c-CVE-2017-14952.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Fix CVE-2017-14952:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14952
-
-Patch copied from upstream source repository:
-
-http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp#file0
-
-Index: trunk/icu4c/source/i18n/zonemeta.cpp
-===================================================================
---- icu/source/i18n/zonemeta.cpp	(revision 40283)
-+++ icu/source/i18n/zonemeta.cpp	(revision 40324)
-@@ -691,5 +691,4 @@
-                     if (U_FAILURE(status)) {
-                         delete mzMappings;
--                        deleteOlsonToMetaMappingEntry(entry);
-                         uprv_free(entry);
-                         break;
diff --git a/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch b/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
deleted file mode 100644
index 4db8f27998..0000000000
--- a/gnu/packages/patches/icu4c-CVE-2017-7867-CVE-2017-7868.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-Fix CVE-2017-7867 and CVE-2017-7868:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7867
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7868
-
-Patch copied from upstream source repository:
-
-http://bugs.icu-project.org/trac/changeset/39671
-
-Index: icu/source/common/utext.cpp
-===================================================================
---- icu/source/common/utext.cpp	(revision 39670)
-+++ icu/source/common/utext.cpp	(revision 39671)
-@@ -848,7 +848,13 @@
- 
- // Chunk size.
--//     Must be less than 85, because of byte mapping from UChar indexes to native indexes.
--//     Worst case is three native bytes to one UChar.  (Supplemenaries are 4 native bytes
--//     to two UChars.)
-+//     Must be less than 42  (256/6), because of byte mapping from UChar indexes to native indexes.
-+//     Worst case there are six UTF-8 bytes per UChar.
-+//         obsolete 6 byte form fd + 5 trails maps to fffd
-+//         obsolete 5 byte form fc + 4 trails maps to fffd
-+//         non-shortest 4 byte forms maps to fffd
-+//         normal supplementaries map to a pair of utf-16, two utf8 bytes per utf-16 unit
-+//     mapToUChars array size must allow for the worst case, 6.
-+//     This could be brought down to 4, by treating fd and fc as pure illegal,
-+//     rather than obsolete lead bytes. But that is not compatible with the utf-8 access macros.
- //
- enum { UTF8_TEXT_CHUNK_SIZE=32 };
-@@ -890,5 +896,5 @@
-                                                      //    one for a supplementary starting in the last normal position,
-                                                      //    and one for an entry for the buffer limit position.
--    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*3+6]; // Map native offset from bufNativeStart to
-+    uint8_t   mapToUChars[UTF8_TEXT_CHUNK_SIZE*6+6]; // Map native offset from bufNativeStart to
-                                                      //   correspoding offset in filled part of buf.
-     int32_t   align;
-@@ -1033,4 +1039,5 @@
-             u8b = (UTF8Buf *)ut->p;   // the current buffer
-             mapIndex = ix - u8b->toUCharsMapStart;
-+            U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
-             ut->chunkOffset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
-             return TRUE;
-@@ -1299,4 +1306,8 @@
-         //   If index is at the end, there is no character there to look at.
-         if (ix != ut->b) {
-+            // Note: this function will only move the index back if it is on a trail byte
-+            //       and there is a preceding lead byte and the sequence from the lead 
-+            //       through this trail could be part of a valid UTF-8 sequence
-+            //       Otherwise the index remains unchanged.
-             U8_SET_CP_START(s8, 0, ix);
-         }
-@@ -1312,5 +1323,8 @@
-         uint8_t *mapToNative = u8b->mapToNative;
-         uint8_t *mapToUChars = u8b->mapToUChars;
--        int32_t  toUCharsMapStart = ix - (UTF8_TEXT_CHUNK_SIZE*3 + 1);
-+        int32_t  toUCharsMapStart = ix - sizeof(UTF8Buf::mapToUChars) + 1;
-+        // Note that toUCharsMapStart can be negative. Happens when the remaining
-+        // text from current position to the beginning is less than the buffer size.
-+        // + 1 because mapToUChars must have a slot at the end for the bufNativeLimit entry.
-         int32_t  destIx = UTF8_TEXT_CHUNK_SIZE+2;   // Start in the overflow region
-                                                     //   at end of buffer to leave room
-@@ -1339,4 +1353,5 @@
-                 // Special case ASCII range for speed.
-                 buf[destIx] = (UChar)c;
-+                U_ASSERT(toUCharsMapStart <= srcIx);
-                 mapToUChars[srcIx - toUCharsMapStart] = (uint8_t)destIx;
-                 mapToNative[destIx] = (uint8_t)(srcIx - toUCharsMapStart);
-@@ -1368,4 +1383,5 @@
-                     mapToUChars[sIx-- - toUCharsMapStart] = (uint8_t)destIx;
-                 } while (sIx >= srcIx);
-+                U_ASSERT(toUCharsMapStart <= (srcIx+1));
- 
-                 // Set native indexing limit to be the current position.
-@@ -1542,4 +1558,5 @@
-     U_ASSERT(index<=ut->chunkNativeLimit);
-     int32_t mapIndex = index - u8b->toUCharsMapStart;
-+    U_ASSERT(mapIndex < (int32_t)sizeof(UTF8Buf::mapToUChars));
-     int32_t offset = u8b->mapToUChars[mapIndex] - u8b->bufStartIdx;
-     U_ASSERT(offset>=0 && offset<=ut->chunkLength);
-Index: icu/source/test/intltest/utxttest.cpp
-===================================================================
---- icu/source/test/intltest/utxttest.cpp	(revision 39670)
-+++ icu/source/test/intltest/utxttest.cpp	(revision 39671)
-@@ -68,4 +68,6 @@
-         case 7: name = "Ticket12130";
-             if (exec) Ticket12130(); break;
-+        case 8: name = "Ticket12888";
-+            if (exec) Ticket12888(); break;
-         default: name = "";          break;
-     }
-@@ -1584,2 +1586,62 @@
-     utext_close(&ut);
- }
-+
-+// Ticket 12888: bad handling of illegal utf-8 containing many instances of the archaic, now illegal,
-+//               six byte utf-8 forms. Original implementation had an assumption that
-+//               there would be at most three utf-8 bytes per UTF-16 code unit.
-+//               The five and six byte sequences map to a single replacement character.
-+
-+void UTextTest::Ticket12888() {
-+    const char *badString = 
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80"
-+            "\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80\xfd\x80\x80\x80\x80\x80";
-+
-+    UErrorCode status = U_ZERO_ERROR;
-+    LocalUTextPointer ut(utext_openUTF8(NULL, badString, -1, &status));
-+    TEST_SUCCESS(status);
-+    for (;;) {
-+        UChar32 c = utext_next32(ut.getAlias());
-+        if (c == U_SENTINEL) {
-+            break;
-+        }
-+    }
-+    int32_t endIdx = utext_getNativeIndex(ut.getAlias());
-+    if (endIdx != (int32_t)strlen(badString)) {
-+        errln("%s:%d expected=%d, actual=%d", __FILE__, __LINE__, strlen(badString), endIdx);
-+        return;
-+    }
-+
-+    for (int32_t prevIndex = endIdx; prevIndex>0;) {
-+        UChar32 c = utext_previous32(ut.getAlias());
-+        int32_t currentIndex = utext_getNativeIndex(ut.getAlias());
-+        if (c != 0xfffd) {
-+            errln("%s:%d (expected, actual, index) = (%d, %d, %d)\n",
-+                    __FILE__, __LINE__, 0xfffd, c, currentIndex);
-+            break;
-+        }
-+        if (currentIndex != prevIndex - 6) {
-+            errln("%s:%d: wrong index. Expected, actual = %d, %d",
-+                    __FILE__, __LINE__, prevIndex - 6, currentIndex);
-+            break;
-+        }
-+        prevIndex = currentIndex;
-+    }
-+}
-Index: icu/source/test/intltest/utxttest.h
-===================================================================
---- icu/source/test/intltest/utxttest.h	(revision 39670)
-+++ icu/source/test/intltest/utxttest.h	(revision 39671)
-@@ -39,4 +39,5 @@
-     void Ticket10983();
-     void Ticket12130();
-+    void Ticket12888();
- 
- private:
diff --git a/gnu/packages/patches/icu4c-reset-keyword-list-iterator.patch b/gnu/packages/patches/icu4c-reset-keyword-list-iterator.patch
deleted file mode 100644
index 17970aa4a8..0000000000
--- a/gnu/packages/patches/icu4c-reset-keyword-list-iterator.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Copied from upstream: http://bugs.icu-project.org/trac/changeset/39484/.
-
-Fixes <http://bugs.gnu.org/26462> (crashes).
-
-Paths and line endings have been adapted.
-
-Index: icu/source/common/ulist.c
-===================================================================
---- icu/source/common/ulist.c	(revision 39483)
-+++ icu/source/common/ulist.c	(revision 39484)
-@@ -30,5 +30,4 @@
-     
-     int32_t size;
--    int32_t currentIndex;
- };
- 
-@@ -52,5 +51,4 @@
-     newList->tail = NULL;
-     newList->size = 0;
--    newList->currentIndex = -1;
-     
-     return newList;
-@@ -81,6 +79,7 @@
-         p->next->previous = p->previous;
-     }
--    list->curr = NULL;
--    list->currentIndex = 0;
-+    if (p == list->curr) {
-+        list->curr = p->next;
-+    }
-     --list->size;
-     if (p->forceDelete) {
-@@ -151,5 +150,4 @@
-         list->head->previous = newItem;
-         list->head = newItem;
--        list->currentIndex++;
-     }
-     
-@@ -194,5 +192,4 @@
-     curr = list->curr;
-     list->curr = curr->next;
--    list->currentIndex++;
-     
-     return curr->data;
-@@ -210,5 +207,4 @@
-     if (list != NULL) {
-         list->curr = list->head;
--        list->currentIndex = 0;
-     }
- }
-@@ -273,3 +269,2 @@
-     return (UList *)(en->context);
- }
--
-Index: icu/source/i18n/ucol_res.cpp
-===================================================================
---- icu/source/i18n/ucol_res.cpp	(revision 39483)
-+++ icu/source/i18n/ucol_res.cpp	(revision 39484)
-@@ -681,4 +681,5 @@
-     }
-     memcpy(en, &defaultKeywordValues, sizeof(UEnumeration));
-+    ulist_resetList(sink.values);  // Initialize the iterator.
-     en->context = sink.values;
-     sink.values = NULL;  // Avoid deletion in the sink destructor.
-Index: icu/source/test/intltest/apicoll.cpp
-===================================================================
---- icu/source/test/intltest/apicoll.cpp	(revision 39483)
-+++ icu/source/test/intltest/apicoll.cpp	(revision 39484)
-@@ -82,14 +82,7 @@
-     col = Collator::createInstance(Locale::getEnglish(), success);
-     if (U_FAILURE(success)){
--        errcheckln(success, "Default Collator creation failed. - %s", u_errorName(success));
--        return;
--    }
--
--    StringEnumeration* kwEnum = col->getKeywordValuesForLocale("", Locale::getEnglish(),true,success);
--    if (U_FAILURE(success)){
--        errcheckln(success, "Get Keyword Values for Locale failed. - %s", u_errorName(success));
--        return;
--    }
--    delete kwEnum;
-+        errcheckln(success, "English Collator creation failed. - %s", u_errorName(success));
-+        return;
-+    }
- 
-     col->getVersion(versionArray);
-@@ -230,4 +223,27 @@
-     delete aFrCol;
-     delete junk;
-+}
-+
-+void CollationAPITest::TestKeywordValues() {
-+    IcuTestErrorCode errorCode(*this, "TestKeywordValues");
-+    LocalPointer<Collator> col(Collator::createInstance(Locale::getEnglish(), errorCode));
-+    if (errorCode.logIfFailureAndReset("English Collator creation failed")) {
-+        return;
-+    }
-+
-+    LocalPointer<StringEnumeration> kwEnum(
-+        col->getKeywordValuesForLocale("collation", Locale::getEnglish(), TRUE, errorCode));
-+    if (errorCode.logIfFailureAndReset("Get Keyword Values for English Collator failed")) {
-+        return;
-+    }
-+    assertTrue("expect at least one collation tailoring for English", kwEnum->count(errorCode) > 0);
-+    const char *kw;
-+    UBool hasStandard = FALSE;
-+    while ((kw = kwEnum->next(NULL, errorCode)) != NULL) {
-+        if (strcmp(kw, "standard") == 0) {
-+            hasStandard = TRUE;
-+        }
-+    }
-+    assertTrue("expect at least the 'standard' collation tailoring for English", hasStandard);
- }
- 
-@@ -2467,4 +2483,5 @@
-     TESTCASE_AUTO_BEGIN;
-     TESTCASE_AUTO(TestProperty);
-+    TESTCASE_AUTO(TestKeywordValues);
-     TESTCASE_AUTO(TestOperators);
-     TESTCASE_AUTO(TestDuplicate);
-Index: icu/source/test/intltest/apicoll.h
-===================================================================
---- icu/source/test/intltest/apicoll.h	(revision 39483)
-+++ icu/source/test/intltest/apicoll.h	(revision 39484)
-@@ -36,4 +36,5 @@
-      */
-     void TestProperty(/* char* par */);
-+    void TestKeywordValues();
- 
-     /**
diff --git a/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch b/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch
deleted file mode 100644
index f45209068f..0000000000
--- a/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch
+++ /dev/null
@@ -1,906 +0,0 @@
-Fix CVE-2016-9601:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
-https://bugs.ghostscript.com/show_bug.cgi?id=697457
-
-Patch copied from upstream source repository:
-
-http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092
-
-From e698d5c11d27212aa1098bc5b1673a3378563092 Mon Sep 17 00:00:00 2001
-From: Robin Watts <robin.watts@artifex.com>
-Date: Mon, 12 Dec 2016 17:47:17 +0000
-Subject: [PATCH] Squash signed/unsigned warnings in MSVC jbig2 build.
-
-Also rename "new" to "new_dict", because "new" is a bad
-variable name.
----
- jbig2.c             |  4 +--
- jbig2.h             |  8 +++---
- jbig2_generic.c     |  2 +-
- jbig2_halftone.c    | 24 ++++++++----------
- jbig2_huffman.c     | 10 ++++----
- jbig2_huffman.h     |  2 +-
- jbig2_image.c       | 32 +++++++++++------------
- jbig2_mmr.c         | 66 +++++++++++++++++++++++++-----------------------
- jbig2_page.c        |  6 ++---
- jbig2_priv.h        |  4 +--
- jbig2_segment.c     | 10 ++++----
- jbig2_symbol_dict.c | 73 +++++++++++++++++++++++++++--------------------------
- jbig2_symbol_dict.h |  6 ++---
- jbig2_text.c        | 16 ++++++------
- jbig2_text.h        |  2 +-
- 15 files changed, 134 insertions(+), 131 deletions(-)
-
-diff --git a/jbig2.c b/jbig2.c
-index f729e29..e51380f 100644
---- a/jbig2.c
-+++ b/jbig2.c
-@@ -379,7 +379,7 @@ typedef struct {
- } Jbig2WordStreamBuf;
- 
- static int
--jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t *word)
-+jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, size_t offset, uint32_t *word)
- {
-     Jbig2WordStreamBuf *z = (Jbig2WordStreamBuf *) self;
-     const byte *data = z->data;
-@@ -390,7 +390,7 @@ jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t
-     else if (offset > z->size)
-         return -1;
-     else {
--        int i;
-+        size_t i;
- 
-         result = 0;
-         for (i = 0; i < z->size - offset; i++)
-diff --git a/jbig2.h b/jbig2.h
-index d5aa52f..624e0ed 100644
---- a/jbig2.h
-+++ b/jbig2.h
-@@ -56,17 +56,19 @@ typedef struct _Jbig2SymbolDictionary Jbig2SymbolDictionary;
- */
- 
- struct _Jbig2Image {
--    int width, height, stride;
-+    uint32_t width;
-+    uint32_t height;
-+    uint32_t stride;
-     uint8_t *data;
-     int refcount;
- };
- 
--Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, int width, int height);
-+Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height);
- Jbig2Image *jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image);
- void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image);
- void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image);
- void jbig2_image_clear(Jbig2Ctx *ctx, Jbig2Image *image, int value);
--Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height);
-+Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height);
- 
- /* errors are returned from the library via a callback. If no callback
-    is provided (a NULL argument is passed ot jbig2_ctx_new) a default
-diff --git a/jbig2_generic.c b/jbig2_generic.c
-index 02fdbfb..9656198 100644
---- a/jbig2_generic.c
-+++ b/jbig2_generic.c
-@@ -718,7 +718,7 @@ jbig2_immediate_generic_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte
-     byte seg_flags;
-     int8_t gbat[8];
-     int offset;
--    int gbat_bytes = 0;
-+    uint32_t gbat_bytes = 0;
-     Jbig2GenericRegionParams params;
-     int code = 0;
-     Jbig2Image *image = NULL;
-diff --git a/jbig2_halftone.c b/jbig2_halftone.c
-index aeab576..acfbc56 100644
---- a/jbig2_halftone.c
-+++ b/jbig2_halftone.c
-@@ -257,8 +257,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
- {
-     uint8_t **GSVALS = NULL;
-     size_t consumed_bytes = 0;
--    int i, j, code, stride;
--    int x, y;
-+    uint32_t i, j, stride, x, y;
-+    int code;
-     Jbig2Image **GSPLANES;
-     Jbig2GenericRegionParams rparams;
-     Jbig2WordStream *ws = NULL;
-@@ -276,9 +276,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
-         if (GSPLANES[i] == NULL) {
-             jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate %dx%d image for GSPLANES", GSW, GSH);
-             /* free already allocated */
--            for (j = i - 1; j >= 0; --j) {
--                jbig2_image_release(ctx, GSPLANES[j]);
--            }
-+            for (j = i; j > 0;)
-+                jbig2_image_release(ctx, GSPLANES[--j]);
-             jbig2_free(ctx->allocator, GSPLANES);
-             return NULL;
-         }
-@@ -323,9 +322,10 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
-     }
- 
-     /* C.5 step 2. Set j = GSBPP-2 */
--    j = GSBPP - 2;
-+    j = GSBPP - 1;
-     /* C.5 step 3. decode loop */
--    while (j >= 0) {
-+    while (j > 0) {
-+        j--;
-         /*  C.5 step 3. (a) */
-         if (GSMMR) {
-             code = jbig2_decode_halftone_mmr(ctx, &rparams, data + consumed_bytes, size - consumed_bytes, GSPLANES[j], &consumed_bytes);
-@@ -345,7 +345,6 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
-             GSPLANES[j]->data[i] ^= GSPLANES[j + 1]->data[i];
- 
-         /*  C.5 step 3. (c) */
--        --j;
-     }
- 
-     /* allocate GSVALS */
-@@ -359,9 +358,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
-         if (GSVALS[i] == NULL) {
-             jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate GSVALS: %d bytes", GSH * GSW);
-             /* free already allocated */
--            for (j = i - 1; j >= 0; --j) {
--                jbig2_free(ctx->allocator, GSVALS[j]);
--            }
-+            for (j = i; j > 0;)
-+                jbig2_free(ctx->allocator, GSVALS[--j]);
-             jbig2_free(ctx->allocator, GSVALS);
-             GSVALS = NULL;
-             goto cleanup;
-@@ -450,7 +448,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
-     uint8_t **GI;
-     Jbig2Image *HSKIP = NULL;
-     Jbig2PatternDict *HPATS;
--    int i;
-+    uint32_t i;
-     uint32_t mg, ng;
-     int32_t x, y;
-     uint8_t gray_val;
-@@ -476,7 +474,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
- 
-     /* calculate ceil(log2(HNUMPATS)) */
-     HBPP = 0;
--    while (HNUMPATS > (1 << ++HBPP));
-+    while (HNUMPATS > (1U << ++HBPP));
- 
-     /* 6.6.5 point 4. decode gray-scale image as mentioned in annex C */
-     GI = jbig2_decode_gray_scale_image(ctx, segment, data, size,
-diff --git a/jbig2_huffman.c b/jbig2_huffman.c
-index 4521b48..f77981b 100644
---- a/jbig2_huffman.c
-+++ b/jbig2_huffman.c
-@@ -47,16 +47,16 @@ struct _Jbig2HuffmanState {
-        is (offset + 4) * 8. */
-     uint32_t this_word;
-     uint32_t next_word;
--    int offset_bits;
--    int offset;
--    int offset_limit;
-+    uint32_t offset_bits;
-+    uint32_t offset;
-+    uint32_t offset_limit;
- 
-     Jbig2WordStream *ws;
-     Jbig2Ctx *ctx;
- };
- 
- static uint32_t
--huff_get_next_word(Jbig2HuffmanState *hs, int offset)
-+huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset)
- {
-     uint32_t word = 0;
-     Jbig2WordStream *ws = hs->ws;
-@@ -213,7 +213,7 @@ jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
- /* return the offset of the huffman decode pointer (in bytes)
-  * from the beginning of the WordStream
-  */
--int
-+uint32_t
- jbig2_huffman_offset(Jbig2HuffmanState *hs)
- {
-     return hs->offset + (hs->offset_bits >> 3);
-diff --git a/jbig2_huffman.h b/jbig2_huffman.h
-index 5d1e6e0..cfda9e0 100644
---- a/jbig2_huffman.h
-+++ b/jbig2_huffman.h
-@@ -64,7 +64,7 @@ void jbig2_huffman_skip(Jbig2HuffmanState *hs);
- 
- void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
- 
--int jbig2_huffman_offset(Jbig2HuffmanState *hs);
-+uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
- 
- int32_t jbig2_huffman_get(Jbig2HuffmanState *hs, const Jbig2HuffmanTable *table, bool *oob);
- 
-diff --git a/jbig2_image.c b/jbig2_image.c
-index 1ae614e..94e5a4c 100644
---- a/jbig2_image.c
-+++ b/jbig2_image.c
-@@ -32,10 +32,10 @@
- 
- /* allocate a Jbig2Image structure and its associated bitmap */
- Jbig2Image *
--jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
-+jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
- {
-     Jbig2Image *image;
--    int stride;
-+    uint32_t stride;
-     int64_t check;
- 
-     image = jbig2_new(ctx, Jbig2Image, 1);
-@@ -99,7 +99,7 @@ jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image)
- 
- /* resize a Jbig2Image */
- Jbig2Image *
--jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
-+jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height)
- {
-     if (width == image->width) {
-         /* check for integer multiplication overflow */
-@@ -133,11 +133,11 @@ jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
- static int
- jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
- {
--    int i, j;
--    int sw = src->width;
--    int sh = src->height;
--    int sx = 0;
--    int sy = 0;
-+    uint32_t i, j;
-+    uint32_t sw = src->width;
-+    uint32_t sh = src->height;
-+    uint32_t sx = 0;
-+    uint32_t sy = 0;
- 
-     /* clip to the dst image boundaries */
-     if (x < 0) {
-@@ -200,10 +200,10 @@ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x
- int
- jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
- {
--    int i, j;
--    int w, h;
--    int leftbyte, rightbyte;
--    int shift;
-+    uint32_t i, j;
-+    uint32_t w, h;
-+    uint32_t leftbyte, rightbyte;
-+    uint32_t shift;
-     uint8_t *s, *ss;
-     uint8_t *d, *dd;
-     uint8_t mask, rightmask;
-@@ -226,8 +226,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
-         h += y;
-         y = 0;
-     }
--    w = (x + w < dst->width) ? w : dst->width - x;
--    h = (y + h < dst->height) ? h : dst->height - y;
-+    w = ((uint32_t)x + w < dst->width) ? w : ((dst->width >= (uint32_t)x) ? dst->width - (uint32_t)x : 0);
-+    h = ((uint32_t)y + h < dst->height) ? h : ((dst->height >= (uint32_t)y) ? dst->height - (uint32_t)y : 0);
- #ifdef JBIG2_DEBUG
-     jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "compositing %dx%d at (%d, %d) after clipping\n", w, h, x, y);
- #endif
-@@ -249,8 +249,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
-     }
- #endif
- 
--    leftbyte = x >> 3;
--    rightbyte = (x + w - 1) >> 3;
-+    leftbyte = (uint32_t)x >> 3;
-+    rightbyte = ((uint32_t)x + w - 1) >> 3;
-     shift = x & 7;
- 
-     /* general OR case */
-diff --git a/jbig2_mmr.c b/jbig2_mmr.c
-index d4cd3a2..390e27c 100644
---- a/jbig2_mmr.c
-+++ b/jbig2_mmr.c
-@@ -38,19 +38,21 @@
- #include "jbig2_mmr.h"
- 
- typedef struct {
--    int width;
--    int height;
-+    uint32_t width;
-+    uint32_t height;
-     const byte *data;
-     size_t size;
--    int data_index;
--    int bit_index;
-+    uint32_t data_index;
-+    uint32_t bit_index;
-     uint32_t word;
- } Jbig2MmrCtx;
- 
-+#define MINUS1 ((uint32_t)-1)
-+
- static void
- jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size)
- {
--    int i;
-+    size_t i;
-     uint32_t word = 0;
- 
-     mmr->width = width;
-@@ -732,14 +734,14 @@ const mmr_table_node jbig2_mmr_black_decode[] = {
- #define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 )
- 
- static int
--jbig2_find_changing_element(const byte *line, int x, int w)
-+jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
- {
-     int a, b;
- 
-     if (line == 0)
--        return w;
-+        return (int)w;
- 
--    if (x == -1) {
-+    if (x == MINUS1) {
-         a = 0;
-         x = 0;
-     } else {
-@@ -758,7 +760,7 @@ jbig2_find_changing_element(const byte *line, int x, int w)
- }
- 
- static int
--jbig2_find_changing_element_of_color(const byte *line, int x, int w, int color)
-+jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color)
- {
-     if (line == 0)
-         return w;
-@@ -772,9 +774,9 @@ static const byte lm[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0x0F, 0x07, 0x03, 0x01 };
- static const byte rm[8] = { 0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE };
- 
- static void
--jbig2_set_bits(byte *line, int x0, int x1)
-+jbig2_set_bits(byte *line, uint32_t x0, uint32_t x1)
- {
--    int a0, a1, b0, b1, a;
-+    uint32_t a0, a1, b0, b1, a;
- 
-     a0 = x0 >> 3;
-     a1 = x1 >> 3;
-@@ -831,8 +833,8 @@ jbig2_decode_get_run(Jbig2MmrCtx *mmr, const mmr_table_node *table, int initial_
- static int
- jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
- {
--    int a0 = -1;
--    int a1, a2, b1, b2;
-+    uint32_t a0 = MINUS1;
-+    uint32_t a1, a2, b1, b2;
-     int c = 0;                  /* 0 is white, black is 1 */
- 
-     while (1) {
-@@ -840,7 +842,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
- 
-         /* printf ("%08x\n", word); */
- 
--        if (a0 >= mmr->width)
-+        if (a0 != MINUS1 && a0 >= mmr->width)
-             break;
- 
-         if ((word >> (32 - 3)) == 1) {
-@@ -848,7 +850,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
- 
-             jbig2_decode_mmr_consume(mmr, 3);
- 
--            if (a0 == -1)
-+            if (a0 == MINUS1)
-                 a0 = 0;
- 
-             if (c == 0) {
-@@ -860,7 +862,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-                     a1 = mmr->width;
-                 if (a2 > mmr->width)
-                     a2 = mmr->width;
--                if (a2 < a1 || a1 < 0)
-+                if (a1 == MINUS1 || a2 < a1)
-                     return -1;
-                 jbig2_set_bits(dst, a1, a2);
-                 a0 = a2;
-@@ -874,7 +876,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-                     a1 = mmr->width;
-                 if (a2 > mmr->width)
-                     a2 = mmr->width;
--                if (a1 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || a1 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, a1);
-                 a0 = a2;
-@@ -888,7 +890,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
-             b2 = jbig2_find_changing_element(ref, b1, mmr->width);
-             if (c) {
--                if (b2 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b2 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b2);
-             }
-@@ -900,7 +902,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             jbig2_decode_mmr_consume(mmr, 1);
-             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
-             if (c) {
--                if (b1 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1);
-             }
-@@ -915,7 +917,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             if (b1 + 1 > mmr->width)
-                 break;
-             if (c) {
--                if (b1 + 1 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 + 1 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1 + 1);
-             }
-@@ -930,7 +932,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             if (b1 + 2 > mmr->width)
-                 break;
-             if (c) {
--                if (b1 + 2 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 + 2 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1 + 2);
-             }
-@@ -942,10 +944,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             /* printf ("VR(3)\n"); */
-             jbig2_decode_mmr_consume(mmr, 7);
-             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
--            if (b1 + 3 > mmr->width)
-+            if (b1 + 3 > (int)mmr->width)
-                 break;
-             if (c) {
--                if (b1 + 3 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 + 3 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1 + 3);
-             }
-@@ -957,10 +959,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             /* printf ("VL(1)\n"); */
-             jbig2_decode_mmr_consume(mmr, 3);
-             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
--            if (b1 - 1 < 0)
-+            if (b1 < 1)
-                 break;
-             if (c) {
--                if (b1 - 1 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 - 1 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1 - 1);
-             }
-@@ -972,7 +974,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             /* printf ("VL(2)\n"); */
-             jbig2_decode_mmr_consume(mmr, 6);
-             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
--            if (b1 - 2 < 0)
-+            if (b1 < 2)
-                 break;
-             if (c) {
-                 if (b1 - 2 < a0 || a0 < 0)
-@@ -987,10 +989,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             /* printf ("VL(3)\n"); */
-             jbig2_decode_mmr_consume(mmr, 7);
-             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
--            if (b1 - 3 < 0)
-+            if (b1 < 3)
-                 break;
-             if (c) {
--                if (b1 - 3 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 - 3 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1 - 3);
-             }
-@@ -1009,10 +1011,10 @@ int
- jbig2_decode_generic_mmr(Jbig2Ctx *ctx, Jbig2Segment *segment, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image)
- {
-     Jbig2MmrCtx mmr;
--    const int rowstride = image->stride;
-+    const uint32_t rowstride = image->stride;
-     byte *dst = image->data;
-     byte *ref = NULL;
--    int y;
-+    uint32_t y;
-     int code = 0;
- 
-     jbig2_decode_mmr_init(&mmr, image->width, image->height, data, size);
-@@ -1047,10 +1049,10 @@ int
- jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image, size_t *consumed_bytes)
- {
-     Jbig2MmrCtx mmr;
--    const int rowstride = image->stride;
-+    const uint32_t rowstride = image->stride;
-     byte *dst = image->data;
-     byte *ref = NULL;
--    int y;
-+    uint32_t y;
-     int code = 0;
-     const uint32_t EOFB = 0x001001;
- 
-diff --git a/jbig2_page.c b/jbig2_page.c
-index 110ff7c..1ed1c8a 100644
---- a/jbig2_page.c
-+++ b/jbig2_page.c
-@@ -155,9 +155,9 @@ int
- jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
- {
-     Jbig2Page page = ctx->pages[ctx->current_page];
--    int end_row;
-+    uint32_t end_row;
- 
--    end_row = jbig2_get_int32(segment_data);
-+    end_row = jbig2_get_uint32(segment_data);
-     if (end_row < page.end_row) {
-         jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
-                     "end of stripe segment with non-positive end row advance" " (new end row %d vs current end row %d)", end_row, page.end_row);
-@@ -248,7 +248,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, int x,
- 
-     /* grow the page to accomodate a new stripe if necessary */
-     if (page->striped) {
--        int new_height = y + image->height + page->end_row;
-+        uint32_t new_height = y + image->height + page->end_row;
- 
-         if (page->image->height < new_height) {
-             jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "growing page buffer to %d rows " "to accomodate new stripe", new_height);
-diff --git a/jbig2_priv.h b/jbig2_priv.h
-index 42ba496..3d44b42 100644
---- a/jbig2_priv.h
-+++ b/jbig2_priv.h
-@@ -132,7 +132,7 @@ struct _Jbig2Page {
-     uint32_t x_resolution, y_resolution;        /* in pixels per meter */
-     uint16_t stripe_size;
-     bool striped;
--    int end_row;
-+    uint32_t end_row;
-     uint8_t flags;
-     Jbig2Image *image;
- };
-@@ -182,7 +182,7 @@ int jbig2_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segm
- typedef struct _Jbig2WordStream Jbig2WordStream;
- 
- struct _Jbig2WordStream {
--    int (*get_next_word)(Jbig2WordStream *self, int offset, uint32_t *word);
-+    int (*get_next_word)(Jbig2WordStream *self, size_t offset, uint32_t *word);
- };
- 
- Jbig2WordStream *jbig2_word_stream_buf_new(Jbig2Ctx *ctx, const byte *data, size_t size);
-diff --git a/jbig2_segment.c b/jbig2_segment.c
-index 2e0db67..5b63706 100644
---- a/jbig2_segment.c
-+++ b/jbig2_segment.c
-@@ -39,10 +39,10 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
-     uint8_t rtscarf;
-     uint32_t rtscarf_long;
-     uint32_t *referred_to_segments;
--    int referred_to_segment_count;
--    int referred_to_segment_size;
--    int pa_size;
--    int offset;
-+    uint32_t referred_to_segment_count;
-+    uint32_t referred_to_segment_size;
-+    uint32_t pa_size;
-+    uint32_t offset;
- 
-     /* minimum possible size of a jbig2 segment header */
-     if (buf_size < 11)
-@@ -83,7 +83,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
- 
-     /* 7.2.5 */
-     if (referred_to_segment_count) {
--        int i;
-+        uint32_t i;
- 
-         referred_to_segments = jbig2_new(ctx, uint32_t, referred_to_segment_count * referred_to_segment_size);
-         if (referred_to_segments == NULL) {
-diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
-index 2c71a4c..11a2252 100644
---- a/jbig2_symbol_dict.c
-+++ b/jbig2_symbol_dict.c
-@@ -88,40 +88,40 @@ jbig2_dump_symbol_dict(Jbig2Ctx *ctx, Jbig2Segment *segment)
- 
- /* return a new empty symbol dict */
- Jbig2SymbolDict *
--jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols)
-+jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
- {
--    Jbig2SymbolDict *new = NULL;
-+    Jbig2SymbolDict *new_dict = NULL;
- 
-     if (n_symbols < 0) {
-         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
-         return NULL;
-     }
- 
--    new = jbig2_new(ctx, Jbig2SymbolDict, 1);
--    if (new != NULL) {
--        new->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
--        new->n_symbols = n_symbols;
-+    new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
-+    if (new_dict != NULL) {
-+        new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
-+        new_dict->n_symbols = n_symbols;
-     } else {
-         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate new empty symbol dict");
-         return NULL;
-     }
- 
--    if (new->glyphs != NULL) {
--        memset(new->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
-+    if (new_dict->glyphs != NULL) {
-+        memset(new_dict->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
-     } else {
-         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate glyphs for new empty symbol dict");
--        jbig2_free(ctx->allocator, new);
-+        jbig2_free(ctx->allocator, new_dict);
-         return NULL;
-     }
- 
--    return new;
-+    return new_dict;
- }
- 
- /* release the memory associated with a symbol dict */
- void
- jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict)
- {
--    int i;
-+    uint32_t i;
- 
-     if (dict == NULL)
-         return;
-@@ -142,12 +142,12 @@ jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id)
- }
- 
- /* count the number of dictionary segments referred to by the given segment */
--int
-+uint32_t
- jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
- {
-     int index;
-     Jbig2Segment *rsegment;
--    int n_dicts = 0;
-+    uint32_t n_dicts = 0;
- 
-     for (index = 0; index < segment->referred_to_segment_count; index++) {
-         rsegment = jbig2_find_segment(ctx, segment->referred_to_segments[index]);
-@@ -166,8 +166,8 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
-     int index;
-     Jbig2Segment *rsegment;
-     Jbig2SymbolDict **dicts;
--    int n_dicts = jbig2_sd_count_referred(ctx, segment);
--    int dindex = 0;
-+    uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
-+    uint32_t dindex = 0;
- 
-     dicts = jbig2_new(ctx, Jbig2SymbolDict *, n_dicts);
-     if (dicts == NULL) {
-@@ -195,10 +195,10 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
- /* generate a new symbol dictionary by concatenating a list of
-    existing dictionaries */
- Jbig2SymbolDict *
--jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
-+jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts)
- {
--    int i, j, k, symbols;
--    Jbig2SymbolDict *new = NULL;
-+    uint32_t i, j, k, symbols;
-+    Jbig2SymbolDict *new_dict = NULL;
- 
-     /* count the imported symbols and allocate a new array */
-     symbols = 0;
-@@ -206,17 +206,17 @@ jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
-         symbols += dicts[i]->n_symbols;
- 
-     /* fill a new array with cloned glyph pointers */
--    new = jbig2_sd_new(ctx, symbols);
--    if (new != NULL) {
-+    new_dict = jbig2_sd_new(ctx, symbols);
-+    if (new_dict != NULL) {
-         k = 0;
-         for (i = 0; i < n_dicts; i++)
-             for (j = 0; j < dicts[i]->n_symbols; j++)
--                new->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
-+                new_dict->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
-     } else {
-         jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1, "failed to allocate new symbol dictionary");
-     }
- 
--    return new;
-+    return new_dict;
- }
- 
- /* Decoding routines */
-@@ -431,7 +431,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
- 
-                     if (REFAGGNINST > 1) {
-                         Jbig2Image *image;
--                        int i;
-+                        uint32_t i;
- 
-                         if (tparams == NULL) {
-                             /* First time through, we need to initialise the */
-@@ -512,7 +512,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
-                         uint32_t ID;
-                         int32_t RDX, RDY;
-                         int BMSIZE = 0;
--                        int ninsyms = params->SDNUMINSYMS;
-+                        uint32_t ninsyms = params->SDNUMINSYMS;
-                         int code1 = 0;
-                         int code2 = 0;
-                         int code3 = 0;
-@@ -609,8 +609,9 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
-         if (params->SDHUFF && !params->SDREFAGG) {
-             /* 6.5.9 */
-             Jbig2Image *image;
--            int BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
--            int j, x;
-+            uint32_t BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
-+            uint32_t j;
-+            int x;
- 
-             if (code || (BMSIZE < 0)) {
-                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
-@@ -700,22 +701,22 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
-         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate symbols exported from symbols dictionary");
-         goto cleanup4;
-     } else {
--        int i = 0;
--        int j = 0;
--        int k;
-+        uint32_t i = 0;
-+        uint32_t j = 0;
-+        uint32_t k;
-         int exflag = 0;
--        int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
--        int32_t exrunlength;
-+        uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
-+        uint32_t exrunlength;
-         int zerolength = 0;
- 
-         while (i < limit) {
-             if (params->SDHUFF)
-                 exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
-             else
--                code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
-+                code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
-             /* prevent infinite loop */
-             zerolength = exrunlength > 0 ? 0 : zerolength + 1;
--            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
-+            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
-                 if (code)
-                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
-                 else if (exrunlength <= 0)
-@@ -797,8 +798,8 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
- {
-     Jbig2SymbolDictParams params;
-     uint16_t flags;
--    int sdat_bytes;
--    int offset;
-+    uint32_t sdat_bytes;
-+    uint32_t offset;
-     Jbig2ArithCx *GB_stats = NULL;
-     Jbig2ArithCx *GR_stats = NULL;
-     int table_index = 0;
-@@ -951,7 +952,7 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
- 
-     /* 7.4.2.2 (2) */
-     {
--        int n_dicts = jbig2_sd_count_referred(ctx, segment);
-+        uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
-         Jbig2SymbolDict **dicts = NULL;
- 
-         if (n_dicts > 0) {
-diff --git a/jbig2_symbol_dict.h b/jbig2_symbol_dict.h
-index d56d62d..30211d4 100644
---- a/jbig2_symbol_dict.h
-+++ b/jbig2_symbol_dict.h
-@@ -32,18 +32,18 @@ int jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *se
- Jbig2Image *jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id);
- 
- /* return a new empty symbol dict */
--Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols);
-+Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols);
- 
- /* release the memory associated with a symbol dict */
- void jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict);
- 
- /* generate a new symbol dictionary by concatenating a list of
-    existing dictionaries */
--Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts);
-+Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts);
- 
- /* count the number of dictionary segments referred
-    to by the given segment */
--int jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
-+uint32_t jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
- 
- /* return an array of pointers to symbol dictionaries referred
-    to by a segment */
-diff --git a/jbig2_text.c b/jbig2_text.c
-index 5c99640..e77460f 100644
---- a/jbig2_text.c
-+++ b/jbig2_text.c
-@@ -55,7 +55,7 @@
- int
- jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
-                          const Jbig2TextRegionParams *params,
--                         const Jbig2SymbolDict *const *dicts, const int n_dicts,
-+                         const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
-                          Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws)
- {
-     /* relevent bits of 6.4.4 */
-@@ -476,19 +476,19 @@ cleanup2:
- int
- jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data)
- {
--    int offset = 0;
-+    uint32_t offset = 0;
-     Jbig2RegionSegmentInfo region_info;
-     Jbig2TextRegionParams params;
-     Jbig2Image *image = NULL;
-     Jbig2SymbolDict **dicts = NULL;
--    int n_dicts = 0;
-+    uint32_t n_dicts = 0;
-     uint16_t flags = 0;
-     uint16_t huffman_flags = 0;
-     Jbig2ArithCx *GR_stats = NULL;
-     int code = 0;
-     Jbig2WordStream *ws = NULL;
-     Jbig2ArithState *as = NULL;
--    int table_index = 0;
-+    uint32_t table_index = 0;
-     const Jbig2HuffmanParams *huffman_params = NULL;
- 
-     /* 7.4.1 */
-@@ -779,7 +779,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
-         code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unable to retrive symbol dictionaries! previous parsing error?");
-         goto cleanup1;
-     } else {
--        int index;
-+        uint32_t index;
- 
-         if (dicts[0] == NULL) {
-             code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to find first referenced symbol dictionary!");
-@@ -823,8 +823,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
-     }
- 
-     if (!params.SBHUFF) {
--        int SBSYMCODELEN, index;
--        int SBNUMSYMS = 0;
-+        uint32_t SBSYMCODELEN, index;
-+        uint32_t SBNUMSYMS = 0;
- 
-         for (index = 0; index < n_dicts; index++) {
-             SBNUMSYMS += dicts[index]->n_symbols;
-@@ -840,7 +840,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
-         }
- 
-         /* Table 31 */
--        for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
-+        for (SBSYMCODELEN = 0; (1U << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
-         }
-         params.IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN);
-         params.IARI = jbig2_arith_int_ctx_new(ctx);
-diff --git a/jbig2_text.h b/jbig2_text.h
-index aec2732..51d242e 100644
---- a/jbig2_text.h
-+++ b/jbig2_text.h
-@@ -70,5 +70,5 @@ typedef struct {
- int
- jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
-                          const Jbig2TextRegionParams *params,
--                         const Jbig2SymbolDict *const *dicts, const int n_dicts,
-+                         const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
-                          Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws);
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
deleted file mode 100644
index a598392765..0000000000
--- a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Fix CVE-2017-7885:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
-https://bugs.ghostscript.com/show_bug.cgi?id=697703
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3
-
-From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001
-From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
-Date: Wed, 3 May 2017 22:06:01 +0100
-Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability.
-
-Add extra check for the offset being greater than the size
-of the image and hence reading off the end of the buffer.
-
-Thank you to Dai Ge for finding this issue and suggesting a patch.
----
- jbig2_symbol_dict.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
-index 4acaba9..36225cb 100644
---- a/jbig2_symbol_dict.c
-+++ b/jbig2_symbol_dict.c
-@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
-                 byte *dst = image->data;
- 
-                 /* SumatraPDF: prevent read access violation */
--                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
-+                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
-                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
-                                 size - jbig2_huffman_offset(hs));
-                     jbig2_image_release(ctx, image);
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
deleted file mode 100644
index c83fe9d9f2..0000000000
--- a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Fix CVE-2017-7975:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
-https://bugs.ghostscript.com/show_bug.cgi?id=697693
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66
-
-From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
-From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
-Date: Wed, 26 Apr 2017 22:12:14 +0100
-Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
-
-While building a Huffman table, the start and end points were susceptible
-to integer overflow.
-
-Thank you to Jiaqi for finding this issue and suggesting a patch.
----
- jbig2_huffman.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/jbig2_huffman.c b/jbig2_huffman.c
-index 511e461..b4189a1 100644
---- a/jbig2_huffman.c
-+++ b/jbig2_huffman.c
-@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
- 
-             if (PREFLEN == CURLEN) {
-                 int RANGELEN = lines[CURTEMP].RANGELEN;
--                int start_j = CURCODE << shift;
--                int end_j = (CURCODE + 1) << shift;
-+                uint32_t start_j = CURCODE << shift;
-+                uint32_t end_j = (CURCODE + 1) << shift;
-                 byte eflags = 0;
- 
-                 if (end_j > max_j) {
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
deleted file mode 100644
index 2fe02358b8..0000000000
--- a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-Fix CVE-2017-7976:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
-https://bugs.ghostscript.com/show_bug.cgi?id=697683
-
-In order to make the bug-fix patch apply, we also include an earlier commit
-that it depends on.
-
-Patches copied from upstream source repository:
-
-Earlier commit, creating context for the CVE fix:
-https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
-
-CVE-2017-7976 bug fix:
-https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
-
-From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Wed, 14 Dec 2016 15:56:31 +0100
-Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
- false.
-
----
- jbig2_image.c       | 2 +-
- jbig2_mmr.c         | 2 +-
- jbig2_symbol_dict.c | 9 ++-------
- 3 files changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/jbig2_image.c b/jbig2_image.c
-index 94e5a4c..00f966b 100644
---- a/jbig2_image.c
-+++ b/jbig2_image.c
-@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
-     /* general OR case */
-     s = ss;
-     d = dd = dst->data + y * dst->stride + leftbyte;
--    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
-+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
-         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
-     }
-     if (leftbyte == rightbyte) {
-diff --git a/jbig2_mmr.c b/jbig2_mmr.c
-index 390e27c..da54934 100644
---- a/jbig2_mmr.c
-+++ b/jbig2_mmr.c
-@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
-             if (b1 < 2)
-                 break;
-             if (c) {
--                if (b1 - 2 < a0 || a0 < 0)
-+                if (a0 == MINUS1 || b1 - 2 < a0)
-                     return -1;
-                 jbig2_set_bits(dst, a0, b1 - 2);
-             }
-diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
-index 11a2252..4acaba9 100644
---- a/jbig2_symbol_dict.c
-+++ b/jbig2_symbol_dict.c
-@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
- {
-     Jbig2SymbolDict *new_dict = NULL;
- 
--    if (n_symbols < 0) {
--        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
--        return NULL;
--    }
--
-     new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
-     if (new_dict != NULL) {
-         new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
-@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
-             uint32_t j;
-             int x;
- 
--            if (code || (BMSIZE < 0)) {
-+            if (code) {
-                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
-                 goto cleanup4;
-             }
-@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
-                 code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
-             /* prevent infinite loop */
-             zerolength = exrunlength > 0 ? 0 : zerolength + 1;
--            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
-+            if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
-                 if (code)
-                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
-                 else if (exrunlength <= 0)
--- 
-2.13.0
-
-From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
-From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
-Date: Wed, 10 May 2017 17:50:39 +0100
-Subject: [PATCH] Bug 697683: Bounds check before reading from image source
- data.
-
-Add extra check to prevent reading off the end of the image source
-data buffer.
-
-Thank you to Dai Ge for finding this issue and suggesting a patch.
----
- jbig2_image.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/jbig2_image.c b/jbig2_image.c
-index 661d0a5..ae161b9 100644
---- a/jbig2_image.c
-+++ b/jbig2_image.c
-@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
-     /* general OR case */
-     s = ss;
-     d = dd = dst->data + y * dst->stride + leftbyte;
--    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
-+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
-+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
-         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
-     }
-     if (leftbyte == rightbyte) {
--- 
-2.13.0
-
diff --git a/gnu/packages/patches/jbig2dec-ignore-testtest.patch b/gnu/packages/patches/jbig2dec-ignore-testtest.patch
index 1efde8628c..7c80c545e9 100644
--- a/gnu/packages/patches/jbig2dec-ignore-testtest.patch
+++ b/gnu/packages/patches/jbig2dec-ignore-testtest.patch
@@ -1,8 +1,8 @@
-Do not run the "testtest script", it doesn't seem to do anything and reports
-failiute. TODO: Actually fix the test instead of ignoring it.
+Do not run the test 'test_jbig2dec.py'. It doesn't seem to do anything
+and reports failure. TODO: Actually fix the test instead of ignoring it.
 
 diff --git a/Makefile.in b/Makefile.in
-index 0573592..1a5de77 100644
+index 63982d4..8af1d61 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -93,7 +93,7 @@ host_triplet = @host@
diff --git a/gnu/packages/patches/libgnome-encoding.patch b/gnu/packages/patches/libgnome-encoding.patch
new file mode 100644
index 0000000000..c7c352172f
--- /dev/null
+++ b/gnu/packages/patches/libgnome-encoding.patch
@@ -0,0 +1,16 @@
+Remove non-UTF-8 character (this is a NO-BREAK SPACE character, encoded in
+ISO-8859-1) to fix build failure with 'glib-mkenums' in GLib 2.54.2+.
+
+Patch from <https://github.com/macports/macports-ports/commit/1f3efc8e65cc060d1701407bd1e56e62e6bd9c55>.
+
+--- a/libgnome/gnome-config.h	2009-04-23 04:29:13.000000000 -0500
++++ b/libgnome/gnome-config.h	2017-10-04 02:17:22.000000000 -0500
+@@ -270,7 +270,7 @@ void gnome_config_clean_key_ (const char
+ #define gnome_config_private_clean_key(path) \
+ 	(gnome_config_clean_key_((path),TRUE))
+ 
+-/* returns the true filename of the config file */
++/* returns the true filename of the config file */
+ #define gnome_config_get_real_path(path) \
+ 	(g_build_filename (gnome_user_dir_get(),(path),NULL))
+ #define gnome_config_private_get_real_path(path) \
diff --git a/gnu/packages/patches/libgnomeui-utf8.patch b/gnu/packages/patches/libgnomeui-utf8.patch
new file mode 100644
index 0000000000..304d74e1e2
--- /dev/null
+++ b/gnu/packages/patches/libgnomeui-utf8.patch
@@ -0,0 +1,51 @@
+Fixes build with Python >= 3.6:
+
+------
+Making all in libgnomeui
+make[2]: Entering directory '/tmp/guix-build-libgnomeui-2.24.5.drv-0/libgnomeui-2.24.5/libgnomeui'
+  GEN    stamp-gnome-marshal.h
+  GEN    stamp-gnometypebuiltins.h
+INFO: Reading ./gnome-marshal.list...
+  GEN    gnome-marshal.h
+Traceback (most recent call last):
+  File "/gnu/store/azh1is0xknn4xphwj33iqcb5ic9qhk8l-glib-2.54.2-bin/bin/glib-mkenums", line 688, in <module>
+    process_file(fname)
+  File "/gnu/store/azh1is0xknn4xphwj33iqcb5ic9qhk8l-glib-2.54.2-bin/bin/glib-mkenums", line 420, in process_file
+    line = curfile.readline()
+  File "/gnu/store/3lkypf5wnsnvkaidhw0pv7k3yjfh1r9g-python-3.6.3/lib/python3.6/codecs.py", line 321, in decode
+    (result, consumed) = self._buffer_decode(data, self.errors, final)
+UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 1009: invalid continuation byte
+make[2]: *** [Makefile:1109: stamp-gnometypebuiltins.h] Error 1
+make[2]: Leaving directory '/tmp/guix-build-libgnomeui-2.24.5.drv-0/libgnomeui-2.24.5/libgnomeui'
+make[1]: *** [Makefile:369: all-recursive] Error 1
+make[1]: Leaving directory '/tmp/guix-build-libgnomeui-2.24.5.drv-0/libgnomeui-2.24.5'
+make: *** [Makefile:296: all] Error 2
+------
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libgnomeui/commit/?id=30334c28794ef85d8973f4ed0779b5ceed6594f2
+
+From 30334c28794ef85d8973f4ed0779b5ceed6594f2 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Mon, 7 Aug 2017 13:15:26 -0400
+Subject: [PATCH] gnome-scores.h: Convert to UTF-8
+
+The new Python `glib-mkenums` barfs on ISO-8859-1 input.
+---
+ libgnomeui/gnome-scores.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgnomeui/gnome-scores.h b/libgnomeui/gnome-scores.h
+index 911b12d1..4e641d22 100644
+--- a/libgnomeui/gnome-scores.h
++++ b/libgnomeui/gnome-scores.h
+@@ -27,7 +27,7 @@
+  * "High Scores" Widget 
+  *
+  * AUTHOR: 
+- * Horacio J. Peña <horape@compendium.com.ar>
++ * Horacio J. Peña <horape@compendium.com.ar>
+  *
+  * This is free software (under the terms of the GNU LGPL)
+  *
diff --git a/gnu/packages/patches/libtiff-CVE-2016-10688.patch b/gnu/packages/patches/libtiff-CVE-2016-10688.patch
deleted file mode 100644
index 1630274c61..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-10688.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-Fix CVE-2017-10688:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2712
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
-https://security-tracker.debian.org/tracker/CVE-2017-10688
-
-Patch lifted from upstream source repository (the changes to 'ChangeLog'
-don't apply to the libtiff 4.0.8 release tarball).
-
-3rd party Git reference:
-
-https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
-
-2017-06-30  Even Rouault <even.rouault at spatialys.com>
-
-        * libtiff/tif_dirwrite.c: in TIFFWriteDirectoryTagCheckedXXXX()
-        functions associated with LONG8/SLONG8 data type, replace assertion
-that
-        the file is BigTIFF, by a non-fatal error.
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2712
-        Reported by team OWL337
-
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1259; previous revision: 1.1258
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v  <-- 
-libtiff/tif_dirwrite.c
-new revision: 1.86; previous revision: 1.85
-
-Index: libtiff/libtiff/tif_dirwrite.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v
-retrieving revision 1.85
-retrieving revision 1.86
-diff -u -r1.85 -r1.86
---- libtiff/libtiff/tif_dirwrite.c	11 Jan 2017 16:09:02 -0000	1.85
-+++ libtiff/libtiff/tif_dirwrite.c	30 Jun 2017 17:29:44 -0000	1.86
-@@ -1,4 +1,4 @@
--/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */
-+/* $Id: tif_dirwrite.c,v 1.86 2017-06-30 17:29:44 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -2111,7 +2111,10 @@
- {
- 	uint64 m;
- 	assert(sizeof(uint64)==8);
--	assert(tif->tif_flags&TIFF_BIGTIFF);
-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
-+		return(0);
-+	}
- 	m=value;
- 	if (tif->tif_flags&TIFF_SWAB)
- 		TIFFSwabLong8(&m);
-@@ -2124,7 +2127,10 @@
- {
- 	assert(count<0x20000000);
- 	assert(sizeof(uint64)==8);
--	assert(tif->tif_flags&TIFF_BIGTIFF);
-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","LONG8 not allowed for ClassicTIFF");
-+		return(0);
-+	}
- 	if (tif->tif_flags&TIFF_SWAB)
- 		TIFFSwabArrayOfLong8(value,count);
- 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value));
-@@ -2136,7 +2142,10 @@
- {
- 	int64 m;
- 	assert(sizeof(int64)==8);
--	assert(tif->tif_flags&TIFF_BIGTIFF);
-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
-+		return(0);
-+	}
- 	m=value;
- 	if (tif->tif_flags&TIFF_SWAB)
- 		TIFFSwabLong8((uint64*)(&m));
-@@ -2149,7 +2158,10 @@
- {
- 	assert(count<0x20000000);
- 	assert(sizeof(int64)==8);
--	assert(tif->tif_flags&TIFF_BIGTIFF);
-+	if( !(tif->tif_flags&TIFF_BIGTIFF) ) {
-+		TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","SLONG8 not allowed for ClassicTIFF");
-+		return(0);
-+	}
- 	if (tif->tif_flags&TIFF_SWAB)
- 		TIFFSwabArrayOfLong8((uint64*)value,count);
- 	return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,count*8,value));
diff --git a/gnu/packages/patches/libtiff-CVE-2017-9936.patch b/gnu/packages/patches/libtiff-CVE-2017-9936.patch
deleted file mode 100644
index fbdbcd0f0b..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2017-9936.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix CVE-2017-9936:
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2706
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936
-https://security-tracker.debian.org/tracker/CVE-2017-9936
-
-Patch lifted from upstream source repository (the changes to 'ChangeLog'
-don't apply to the libtiff 4.0.8 release tarball).
-
-3rd party Git reference:
-
-https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a
-
-2017-06-26  Even Rouault <even.rouault at spatialys.com>
-
-        * libtiff/tif_jbig.c: fix memory leak in error code path of
-JBIGDecode()
-        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2706
-        Reported by team OWL337
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1254; previous revision: 1.1253
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v  <--  libtiff/tif_jbig.c
-new revision: 1.16; previous revision: 1.15
-
-Index: libtiff/libtiff/tif_jbig.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jbig.c,v
-retrieving revision 1.15
-retrieving revision 1.16
-diff -u -r1.15 -r1.16
---- libtiff/libtiff/tif_jbig.c	10 Mar 2010 18:56:48 -0000	1.15
-+++ libtiff/libtiff/tif_jbig.c	26 Jun 2017 15:20:00 -0000	1.16
-@@ -1,4 +1,4 @@
--/* $Id: tif_jbig.c,v 1.15 2010-03-10 18:56:48 bfriesen Exp $ */
-+/* $Id: tif_jbig.c,v 1.16 2017-06-26 15:20:00 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -94,6 +94,7 @@
- 			     jbg_strerror(decodeStatus)
- #endif
- 			     );
-+		jbg_dec_free(&decoder);
- 		return 0;
- 	}
- 
diff --git a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch b/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
deleted file mode 100644
index 84566ca23e..0000000000
--- a/gnu/packages/patches/libtiff-tiffgetfield-bugs.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-Fix several bugs in libtiff related to use of TIFFGetField():
-
-http://bugzilla.maptools.org/show_bug.cgi?id=2580
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8128
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5318
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10095
-
-Patch copied from upstream CVS. 3rd-party Git reference:
-https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06
-
-2017-06-01  Even Rouault <even.rouault at spatialys.com>
-
-* libtiff/tif_dirinfo.c, tif_dirread.c: add _TIFFCheckFieldIsValidForCodec(),
-and use it in TIFFReadDirectory() so as to ignore fields whose tag is a
-codec-specified tag but this codec is not enabled. This avoids TIFFGetField()
-to behave differently depending on whether the codec is enabled or not, and
-thus can avoid stack based buffer overflows in a number of TIFF utilities
-such as tiffsplit, tiffcmp, thumbnail, etc.
-Patch derived from 0063-Handle-properly-CODEC-specific-tags.patch
-(http://bugzilla.maptools.org/show_bug.cgi?id=2580) by Raphaël Hertzog.
-Fixes:
-http://bugzilla.maptools.org/show_bug.cgi?id=2580
-http://bugzilla.maptools.org/show_bug.cgi?id=2693
-http://bugzilla.maptools.org/show_bug.cgi?id=2625 (CVE-2016-10095)
-http://bugzilla.maptools.org/show_bug.cgi?id=2564 (CVE-2015-7554)
-http://bugzilla.maptools.org/show_bug.cgi?id=2561 (CVE-2016-5318)
-http://bugzilla.maptools.org/show_bug.cgi?id=2499 (CVE-2014-8128)
-http://bugzilla.maptools.org/show_bug.cgi?id=2441
-http://bugzilla.maptools.org/show_bug.cgi?id=2433
-Index: libtiff/libtiff/tif_dirread.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v
-retrieving revision 1.208
-retrieving revision 1.209
-diff -u -r1.208 -r1.209
---- libtiff/libtiff/tif_dirread.c	27 Apr 2017 15:46:22 -0000	1.208
-+++ libtiff/libtiff/tif_dirread.c	1 Jun 2017 12:44:04 -0000	1.209
-@@ -1,4 +1,4 @@
--/* $Id: tif_dirread.c,v 1.208 2017-04-27 15:46:22 erouault Exp $ */
-+/* $Id: tif_dirread.c,v 1.209 2017-06-01 12:44:04 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -3580,6 +3580,10 @@
- 							goto bad;
- 						dp->tdir_tag=IGNORE;
- 						break;
-+                                        default:
-+                                            if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
-+                                                dp->tdir_tag=IGNORE;
-+                                            break;
- 				}
- 			}
- 		}
-Index: libtiff/libtiff/tif_dirinfo.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirinfo.c,v
-retrieving revision 1.126
-retrieving revision 1.127
-diff -u -r1.126 -r1.127
---- libtiff/libtiff/tif_dirinfo.c	18 Nov 2016 02:52:13 -0000	1.126
-+++ libtiff/libtiff/tif_dirinfo.c	1 Jun 2017 12:44:04 -0000	1.127
-@@ -1,4 +1,4 @@
--/* $Id: tif_dirinfo.c,v 1.126 2016-11-18 02:52:13 bfriesen Exp $ */
-+/* $Id: tif_dirinfo.c,v 1.127 2017-06-01 12:44:04 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -956,6 +956,109 @@
- 	return 0;
- }
- 
-+int
-+_TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag)
-+{
-+	/* Filter out non-codec specific tags */
-+	switch (tag) {
-+	    /* Shared tags */
-+	    case TIFFTAG_PREDICTOR:
-+	    /* JPEG tags */
-+	    case TIFFTAG_JPEGTABLES:
-+	    /* OJPEG tags */
-+	    case TIFFTAG_JPEGIFOFFSET:
-+	    case TIFFTAG_JPEGIFBYTECOUNT:
-+	    case TIFFTAG_JPEGQTABLES:
-+	    case TIFFTAG_JPEGDCTABLES:
-+	    case TIFFTAG_JPEGACTABLES:
-+	    case TIFFTAG_JPEGPROC:
-+	    case TIFFTAG_JPEGRESTARTINTERVAL:
-+	    /* CCITT* */
-+	    case TIFFTAG_BADFAXLINES:
-+	    case TIFFTAG_CLEANFAXDATA:
-+	    case TIFFTAG_CONSECUTIVEBADFAXLINES:
-+	    case TIFFTAG_GROUP3OPTIONS:
-+	    case TIFFTAG_GROUP4OPTIONS:
-+		break;
-+	    default:
-+		return 1;
-+	}
-+	/* Check if codec specific tags are allowed for the current
-+	 * compression scheme (codec) */
-+	switch (tif->tif_dir.td_compression) {
-+	    case COMPRESSION_LZW:
-+		if (tag == TIFFTAG_PREDICTOR)
-+		    return 1;
-+		break;
-+	    case COMPRESSION_PACKBITS:
-+		/* No codec-specific tags */
-+		break;
-+	    case COMPRESSION_THUNDERSCAN:
-+		/* No codec-specific tags */
-+		break;
-+	    case COMPRESSION_NEXT:
-+		/* No codec-specific tags */
-+		break;
-+	    case COMPRESSION_JPEG:
-+		if (tag == TIFFTAG_JPEGTABLES)
-+		    return 1;
-+		break;
-+	    case COMPRESSION_OJPEG:
-+		switch (tag) {
-+		    case TIFFTAG_JPEGIFOFFSET:
-+		    case TIFFTAG_JPEGIFBYTECOUNT:
-+		    case TIFFTAG_JPEGQTABLES:
-+		    case TIFFTAG_JPEGDCTABLES:
-+		    case TIFFTAG_JPEGACTABLES:
-+		    case TIFFTAG_JPEGPROC:
-+		    case TIFFTAG_JPEGRESTARTINTERVAL:
-+			return 1;
-+		}
-+		break;
-+	    case COMPRESSION_CCITTRLE:
-+	    case COMPRESSION_CCITTRLEW:
-+	    case COMPRESSION_CCITTFAX3:
-+	    case COMPRESSION_CCITTFAX4:
-+		switch (tag) {
-+		    case TIFFTAG_BADFAXLINES:
-+		    case TIFFTAG_CLEANFAXDATA:
-+		    case TIFFTAG_CONSECUTIVEBADFAXLINES:
-+			return 1;
-+		    case TIFFTAG_GROUP3OPTIONS:
-+			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX3)
-+			    return 1;
-+			break;
-+		    case TIFFTAG_GROUP4OPTIONS:
-+			if (tif->tif_dir.td_compression == COMPRESSION_CCITTFAX4)
-+			    return 1;
-+			break;
-+		}
-+		break;
-+	    case COMPRESSION_JBIG:
-+		/* No codec-specific tags */
-+		break;
-+	    case COMPRESSION_DEFLATE:
-+	    case COMPRESSION_ADOBE_DEFLATE:
-+		if (tag == TIFFTAG_PREDICTOR)
-+		    return 1;
-+		break;
-+	   case COMPRESSION_PIXARLOG:
-+		if (tag == TIFFTAG_PREDICTOR)
-+		    return 1;
-+		break;
-+	    case COMPRESSION_SGILOG:
-+	    case COMPRESSION_SGILOG24:
-+		/* No codec-specific tags */
-+		break;
-+	    case COMPRESSION_LZMA:
-+		if (tag == TIFFTAG_PREDICTOR)
-+		    return 1;
-+		break;
-+
-+	}
-+	return 0;
-+}
-+
- /* vim: set ts=8 sts=8 sw=8 noet: */
- 
- /*
-Index: libtiff/libtiff/tif_dir.h
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.h,v
-retrieving revision 1.54
-retrieving revision 1.55
-diff -u -r1.54 -r1.55
---- libtiff/libtiff/tif_dir.h	18 Feb 2011 20:53:05 -0000	1.54
-+++ libtiff/libtiff/tif_dir.h	1 Jun 2017 12:44:04 -0000	1.55
-@@ -1,4 +1,4 @@
--/* $Id: tif_dir.h,v 1.54 2011-02-18 20:53:05 fwarmerdam Exp $ */
-+/* $Id: tif_dir.h,v 1.55 2017-06-01 12:44:04 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -291,6 +291,7 @@
- extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32);
- extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32, TIFFDataType);
- extern  TIFFField* _TIFFCreateAnonField(TIFF *, uint32, TIFFDataType);
-+extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
- 
- #if defined(__cplusplus)
- }
diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch
deleted file mode 100644
index 060740d953..0000000000
--- a/gnu/packages/patches/libtiff-tiffycbcrtorgb-integer-overflow.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-Fix an integer overflow TIFFYCbCrtoRGB():
-
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
-
-3rd party Git reference:
-
-https://github.com/vadz/libtiff/commit/02669064e927074819ce1ed39aba0fccaa167717
-
-2017-05-29  Even Rouault <even.rouault at spatialys.com>
-
-        * libtiff/tif_color.c: TIFFYCbCrToRGBInit(): stricter clamping to avoid
-        int32 overflow in TIFFYCbCrtoRGB().
-        Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1844
-        Credit to OSS Fuzz
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1241; previous revision: 1.1240
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v  <--  libtiff/tif_color.c
-new revision: 1.24; previous revision: 1.23
-
-Index: libtiff/libtiff/tif_color.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_color.c,v
-retrieving revision 1.23
-retrieving revision 1.24
-diff -u -r1.23 -r1.24
---- libtiff/libtiff/tif_color.c	13 May 2017 18:17:34 -0000	1.23
-+++ libtiff/libtiff/tif_color.c	29 May 2017 10:12:54 -0000	1.24
-@@ -1,4 +1,4 @@
--/* $Id: tif_color.c,v 1.23 2017-05-13 18:17:34 erouault Exp $ */
-+/* $Id: tif_color.c,v 1.24 2017-05-29 10:12:54 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1988-1997 Sam Leffler
-@@ -275,10 +275,10 @@
-       for (i = 0, x = -128; i < 256; i++, x++) {
- 	    int32 Cr = (int32)CLAMPw(Code2V(x, refBlackWhite[4] - 128.0F,
- 			    refBlackWhite[5] - 128.0F, 127),
--                            -128.0F * 64, 128.0F * 64);
-+                            -128.0F * 32, 128.0F * 32);
- 	    int32 Cb = (int32)CLAMPw(Code2V(x, refBlackWhite[2] - 128.0F,
- 			    refBlackWhite[3] - 128.0F, 127),
--                            -128.0F * 64, 128.0F * 64);
-+                            -128.0F * 32, 128.0F * 32);
- 
- 	    ycbcr->Cr_r_tab[i] = (int32)((D1*Cr + ONE_HALF)>>SHIFT);
- 	    ycbcr->Cb_b_tab[i] = (int32)((D3*Cb + ONE_HALF)>>SHIFT);
-@@ -286,7 +286,7 @@
- 	    ycbcr->Cb_g_tab[i] = D4*Cb + ONE_HALF;
- 	    ycbcr->Y_tab[i] =
- 		    (int32)CLAMPw(Code2V(x + 128, refBlackWhite[0], refBlackWhite[1], 255),
--                                  -128.0F * 64, 128.0F * 64);
-+                                  -128.0F * 32, 128.0F * 32);
-       }
-     }
- 
diff --git a/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch b/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch
deleted file mode 100644
index a990641a49..0000000000
--- a/gnu/packages/patches/libtiff-tiffycbcrtorgbinit-integer-overflow.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Fix an integer overflow in initYCbCrConversion():
-
-https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
-
-3rd party Git reference
-
-https://github.com/vadz/libtiff/commit/468988860e0dae62ebbf991627c74bcbb4bd256f
-
-        * libtiff/tif_getimage.c: initYCbCrConversion(): stricter validation for
-        refBlackWhite coefficients values. To avoid invalid float->int32 conversion
-        (when refBlackWhite[0] == 2147483648.f)
-        Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1907
-        Credit to OSS Fuzz
-
-
-/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
-new revision: 1.1243; previous revision: 1.1242
-/cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v  <--  libtiff/tif_getimage.c
-new revision: 1.107; previous revision: 1.106
-
-Index: libtiff/libtiff/tif_getimage.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_getimage.c,v
-retrieving revision 1.106
-retrieving revision 1.107
-diff -u -r1.106 -r1.107
---- libtiff/libtiff/tif_getimage.c	20 May 2017 11:29:02 -0000	1.106
-+++ libtiff/libtiff/tif_getimage.c	29 May 2017 11:29:06 -0000	1.107
-@@ -1,4 +1,4 @@
--/* $Id: tif_getimage.c,v 1.106 2017-05-20 11:29:02 erouault Exp $ */
-+/* $Id: tif_getimage.c,v 1.107 2017-05-29 11:29:06 erouault Exp $ */
- 
- /*
-  * Copyright (c) 1991-1997 Sam Leffler
-@@ -2241,7 +2241,7 @@
- 
- static int isInRefBlackWhiteRange(float f)
- {
--    return f >= (float)(-0x7FFFFFFF + 128) && f <= (float)0x7FFFFFFF;
-+    return f > (float)(-0x7FFFFFFF + 128) && f < (float)0x7FFFFFFF;
- }
- 
- static int
diff --git a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch b/gnu/packages/patches/libtirpc-CVE-2017-8779.patch
deleted file mode 100644
index 742e64df25..0000000000
--- a/gnu/packages/patches/libtirpc-CVE-2017-8779.patch
+++ /dev/null
@@ -1,263 +0,0 @@
-Fix CVE-2017-8779:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779
-
-Patch copied from the bug reporter's 3rd-party repository:
-
-https://github.com/guidovranken/rpcbomb/blob/master/libtirpc_patch.txt
-
-diff --git a/src/rpc_generic.c b/src/rpc_generic.c
-index 2f09a8f..589cbd5 100644
---- a/src/rpc_generic.c
-+++ b/src/rpc_generic.c
-@@ -615,6 +615,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
- 
- 	switch (af) {
- 	case AF_INET:
-+		if (nbuf->len < sizeof(*sin)) {
-+			return NULL;
-+		}
- 		sin = nbuf->buf;
- 		if (inet_ntop(af, &sin->sin_addr, namebuf, sizeof namebuf)
- 		    == NULL)
-@@ -626,6 +629,9 @@ __rpc_taddr2uaddr_af(int af, const struct netbuf *nbuf)
- 		break;
- #ifdef INET6
- 	case AF_INET6:
-+		if (nbuf->len < sizeof(*sin6)) {
-+			return NULL;
-+		}
- 		sin6 = nbuf->buf;
- 		if (inet_ntop(af, &sin6->sin6_addr, namebuf6, sizeof namebuf6)
- 		    == NULL)
-@@ -667,6 +673,8 @@ __rpc_uaddr2taddr_af(int af, const char *uaddr)
- 
- 	port = 0;
- 	sin = NULL;
-+	if (uaddr == NULL)
-+		return NULL;
- 	addrstr = strdup(uaddr);
- 	if (addrstr == NULL)
- 		return NULL;
-diff --git a/src/rpcb_prot.c b/src/rpcb_prot.c
-index 43fd385..a923c8e 100644
---- a/src/rpcb_prot.c
-+++ b/src/rpcb_prot.c
-@@ -41,6 +41,7 @@
- #include <rpc/types.h>
- #include <rpc/xdr.h>
- #include <rpc/rpcb_prot.h>
-+#include "rpc_com.h"
- 
- bool_t
- xdr_rpcb(xdrs, objp)
-@@ -53,13 +54,13 @@ xdr_rpcb(xdrs, objp)
- 	if (!xdr_u_int32_t(xdrs, &objp->r_vers)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->r_netid, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_netid, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->r_addr, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_addr, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->r_owner, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_owner, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	return (TRUE);
-@@ -159,19 +160,19 @@ xdr_rpcb_entry(xdrs, objp)
- 	XDR *xdrs;
- 	rpcb_entry *objp;
- {
--	if (!xdr_string(xdrs, &objp->r_maddr, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_maddr, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->r_nc_netid, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_nc_netid, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	if (!xdr_u_int32_t(xdrs, &objp->r_nc_semantics)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->r_nc_protofmly, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_nc_protofmly, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->r_nc_proto, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->r_nc_proto, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	return (TRUE);
-@@ -292,7 +293,7 @@ xdr_rpcb_rmtcallres(xdrs, p)
- 	bool_t dummy;
- 	struct r_rpcb_rmtcallres *objp = (struct r_rpcb_rmtcallres *)(void *)p;
- 
--	if (!xdr_string(xdrs, &objp->addr, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->addr, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	if (!xdr_u_int(xdrs, &objp->results.results_len)) {
-@@ -312,6 +313,11 @@ xdr_netbuf(xdrs, objp)
- 	if (!xdr_u_int32_t(xdrs, (u_int32_t *) &objp->maxlen)) {
- 		return (FALSE);
- 	}
-+
-+	if (objp->maxlen > RPC_MAXDATASIZE) {
-+		return (FALSE);
-+	}
-+
- 	dummy = xdr_bytes(xdrs, (char **)&(objp->buf),
- 			(u_int *)&(objp->len), objp->maxlen);
- 	return (dummy);
-diff --git a/src/rpcb_st_xdr.c b/src/rpcb_st_xdr.c
-index 08db745..28e6a48 100644
---- a/src/rpcb_st_xdr.c
-+++ b/src/rpcb_st_xdr.c
-@@ -37,6 +37,7 @@
- 
- 
- #include <rpc/rpc.h>
-+#include "rpc_com.h"
- 
- /* Link list of all the stats about getport and getaddr */
- 
-@@ -58,7 +59,7 @@ xdr_rpcbs_addrlist(xdrs, objp)
- 	    if (!xdr_int(xdrs, &objp->failure)) {
- 		return (FALSE);
- 	    }
--	    if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
-+	    if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	    }
- 
-@@ -109,7 +110,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
- 		IXDR_PUT_INT32(buf, objp->failure);
- 		IXDR_PUT_INT32(buf, objp->indirect);
- 	}
--	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	if (!xdr_pointer(xdrs, (char **)&objp->next,
-@@ -147,7 +148,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
- 		objp->failure = (int)IXDR_GET_INT32(buf);
- 		objp->indirect = (int)IXDR_GET_INT32(buf);
- 	}
--	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	if (!xdr_pointer(xdrs, (char **)&objp->next,
-@@ -175,7 +176,7 @@ xdr_rpcbs_rmtcalllist(xdrs, objp)
- 	if (!xdr_int(xdrs, &objp->indirect)) {
- 		return (FALSE);
- 	}
--	if (!xdr_string(xdrs, &objp->netid, (u_int)~0)) {
-+	if (!xdr_string(xdrs, &objp->netid, RPC_MAXDATASIZE)) {
- 		return (FALSE);
- 	}
- 	if (!xdr_pointer(xdrs, (char **)&objp->next,
-diff --git a/src/xdr.c b/src/xdr.c
-index f3fb9ad..b9a1558 100644
---- a/src/xdr.c
-+++ b/src/xdr.c
-@@ -42,8 +42,10 @@
- #include <stdlib.h>
- #include <string.h>
- 
-+#include <rpc/rpc.h>
- #include <rpc/types.h>
- #include <rpc/xdr.h>
-+#include <rpc/rpc_com.h>
- 
- typedef quad_t          longlong_t;     /* ANSI long long type */
- typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
-@@ -53,7 +55,6 @@ typedef u_quad_t        u_longlong_t;   /* ANSI unsigned long long type */
-  */
- #define XDR_FALSE	((long) 0)
- #define XDR_TRUE	((long) 1)
--#define LASTUNSIGNED	((u_int) 0-1)
- 
- /*
-  * for unit alignment
-@@ -629,6 +630,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
- {
- 	char *sp = *cpp;  /* sp is the actual string pointer */
- 	u_int nodesize;
-+	bool_t ret, allocated = FALSE;
- 
- 	/*
- 	 * first deal with the length since xdr bytes are counted
-@@ -652,6 +654,7 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
- 		}
- 		if (sp == NULL) {
- 			*cpp = sp = mem_alloc(nodesize);
-+			allocated = TRUE;
- 		}
- 		if (sp == NULL) {
- 			warnx("xdr_bytes: out of memory");
-@@ -660,7 +663,14 @@ xdr_bytes(xdrs, cpp, sizep, maxsize)
- 		/* FALLTHROUGH */
- 
- 	case XDR_ENCODE:
--		return (xdr_opaque(xdrs, sp, nodesize));
-+		ret = xdr_opaque(xdrs, sp, nodesize);
-+		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
-+			if (allocated == TRUE) {
-+				free(sp);
-+				*cpp = NULL;
-+			}
-+		}
-+		return (ret);
- 
- 	case XDR_FREE:
- 		if (sp != NULL) {
-@@ -754,6 +764,7 @@ xdr_string(xdrs, cpp, maxsize)
- 	char *sp = *cpp;  /* sp is the actual string pointer */
- 	u_int size;
- 	u_int nodesize;
-+	bool_t ret, allocated = FALSE;
- 
- 	/*
- 	 * first deal with the length since xdr strings are counted-strings
-@@ -793,8 +804,10 @@ xdr_string(xdrs, cpp, maxsize)
- 	switch (xdrs->x_op) {
- 
- 	case XDR_DECODE:
--		if (sp == NULL)
-+		if (sp == NULL) {
- 			*cpp = sp = mem_alloc(nodesize);
-+			allocated = TRUE;
-+		}
- 		if (sp == NULL) {
- 			warnx("xdr_string: out of memory");
- 			return (FALSE);
-@@ -803,7 +816,14 @@ xdr_string(xdrs, cpp, maxsize)
- 		/* FALLTHROUGH */
- 
- 	case XDR_ENCODE:
--		return (xdr_opaque(xdrs, sp, size));
-+		ret = xdr_opaque(xdrs, sp, size);
-+		if ((xdrs->x_op == XDR_DECODE) && (ret == FALSE)) {
-+			if (allocated == TRUE) {
-+				free(sp);
-+				*cpp = NULL;
-+			}
-+		}
-+		return (ret);
- 
- 	case XDR_FREE:
- 		mem_free(sp, nodesize);
-@@ -823,7 +843,7 @@ xdr_wrapstring(xdrs, cpp)
- 	XDR *xdrs;
- 	char **cpp;
- {
--	return xdr_string(xdrs, cpp, LASTUNSIGNED);
-+	return xdr_string(xdrs, cpp, RPC_MAXDATASIZE);
- }
- 
- /*
diff --git a/gnu/packages/patches/libtirpc-missing-headers.patch b/gnu/packages/patches/libtirpc-missing-headers.patch
new file mode 100644
index 0000000000..5a96711820
--- /dev/null
+++ b/gnu/packages/patches/libtirpc-missing-headers.patch
@@ -0,0 +1,40 @@
+Fix compilation failure with glibc 2.26 caused by missing type
+declarations:
+
+------
+xdr_sizeof.c: In function ‘x_inline’:
+xdr_sizeof.c:93:13: error: ‘uintptr_t’ undeclared (first use in this function)
+  if (len < (uintptr_t)xdrs->x_base) {
+------
+
+Patch copied from upstream source repository:
+
+http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=acb9a37977cf0a9630eac74af9adebf35e38e719
+
+From acb9a37977cf0a9630eac74af9adebf35e38e719 Mon Sep 17 00:00:00 2001
+From: Thorsten Kukuk <kukuk@thkukuk.de>
+Date: Tue, 14 Nov 2017 10:39:08 -0500
+Subject: [PATCH] Include stdint.h from xdr_sizeof.c to avoid missing
+ declaration errors.
+
+Signed-off-by: Thorsten Kukuk <kukuk@suse.de>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ src/xdr_sizeof.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/xdr_sizeof.c b/src/xdr_sizeof.c
+index d23fbd1..79d6707 100644
+--- a/src/xdr_sizeof.c
++++ b/src/xdr_sizeof.c
+@@ -39,6 +39,7 @@
+ #include <rpc/xdr.h>
+ #include <sys/types.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include "un-namespace.h"
+ 
+ /* ARGSUSED */
+-- 
+1.8.3.1
+
diff --git a/gnu/packages/patches/libunistring-gnulib-multi-core.patch b/gnu/packages/patches/libunistring-gnulib-multi-core.patch
deleted file mode 100644
index 709b20c6d2..0000000000
--- a/gnu/packages/patches/libunistring-gnulib-multi-core.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-This patch fixes performance problems on multi-core machines
-as reported at <https://bugs.gnu.org/26441>.
-
-See commit 480d374e596a0ee3fed168ab42cd84c313ad3c89 in Gnulib
-by Bruno Haible <bruno@clisp.org>.
-
-diff --git a/tests/test-lock.c b/tests/test-lock.c
-index cb734b4e6..aa6de2739 100644
---- a/tests/test-lock.c
-+++ b/tests/test-lock.c
-@@ -50,6 +50,13 @@
-    Uncomment this to see if the operating system has a fair scheduler.  */
- #define EXPLICIT_YIELD 1
- 
-+/* Whether to use 'volatile' on some variables that communicate information
-+   between threads.  If set to 0, a lock is used to protect these variables.
-+   If set to 1, 'volatile' is used; this is theoretically equivalent but can
-+   lead to much slower execution (e.g. 30x slower total run time on a 40-core
-+   machine.  */
-+#define USE_VOLATILE 0
-+
- /* Whether to print debugging messages.  */
- #define ENABLE_DEBUGGING 0
- 
-@@ -103,6 +110,51 @@
- # define yield()
- #endif
- 
-+#if USE_VOLATILE
-+struct atomic_int {
-+  volatile int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  return ai->value;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  ai->value = new_value;
-+}
-+#else
-+struct atomic_int {
-+  gl_lock_define (, lock)
-+  int value;
-+};
-+static void
-+init_atomic_int (struct atomic_int *ai)
-+{
-+  gl_lock_init (ai->lock);
-+}
-+static int
-+get_atomic_int_value (struct atomic_int *ai)
-+{
-+  gl_lock_lock (ai->lock);
-+  int ret = ai->value;
-+  gl_lock_unlock (ai->lock);
-+  return ret;
-+}
-+static void
-+set_atomic_int_value (struct atomic_int *ai, int new_value)
-+{
-+  gl_lock_lock (ai->lock);
-+  ai->value = new_value;
-+  gl_lock_unlock (ai->lock);
-+}
-+#endif
-+
- #define ACCOUNT_COUNT 4
- 
- static int account[ACCOUNT_COUNT];
-@@ -170,12 +222,12 @@ lock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int lock_checker_done;
-+static struct atomic_int lock_checker_done;
- 
- static void *
- lock_checker_thread (void *arg)
- {
--  while (!lock_checker_done)
-+  while (get_atomic_int_value (&lock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_lock_lock (my_lock);
-@@ -200,7 +252,8 @@ test_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  lock_checker_done = 0;
-+  init_atomic_int (&lock_checker_done);
-+  set_atomic_int_value (&lock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (lock_checker_thread, NULL);
-@@ -210,7 +263,7 @@ test_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  lock_checker_done = 1;
-+  set_atomic_int_value (&lock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
-@@ -254,12 +307,12 @@ rwlock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int rwlock_checker_done;
-+static struct atomic_int rwlock_checker_done;
- 
- static void *
- rwlock_checker_thread (void *arg)
- {
--  while (!rwlock_checker_done)
-+  while (get_atomic_int_value (&rwlock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check rdlock\n", gl_thread_self_pointer ());
-       gl_rwlock_rdlock (my_rwlock);
-@@ -284,7 +337,8 @@ test_rwlock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  rwlock_checker_done = 0;
-+  init_atomic_int (&rwlock_checker_done);
-+  set_atomic_int_value (&rwlock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-@@ -295,7 +349,7 @@ test_rwlock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  rwlock_checker_done = 1;
-+  set_atomic_int_value (&rwlock_checker_done, 1);
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (checkerthreads[i], NULL);
-   check_accounts ();
-@@ -356,12 +410,12 @@ reclock_mutator_thread (void *arg)
-   return NULL;
- }
- 
--static volatile int reclock_checker_done;
-+static struct atomic_int reclock_checker_done;
- 
- static void *
- reclock_checker_thread (void *arg)
- {
--  while (!reclock_checker_done)
-+  while (get_atomic_int_value (&reclock_checker_done) == 0)
-     {
-       dbgprintf ("Checker %p before check lock\n", gl_thread_self_pointer ());
-       gl_recursive_lock_lock (my_reclock);
-@@ -386,7 +440,8 @@ test_recursive_lock (void)
-   /* Initialization.  */
-   for (i = 0; i < ACCOUNT_COUNT; i++)
-     account[i] = 1000;
--  reclock_checker_done = 0;
-+  init_atomic_int (&reclock_checker_done);
-+  set_atomic_int_value (&reclock_checker_done, 0);
- 
-   /* Spawn the threads.  */
-   checkerthread = gl_thread_create (reclock_checker_thread, NULL);
-@@ -396,7 +451,7 @@ test_recursive_lock (void)
-   /* Wait for the threads to terminate.  */
-   for (i = 0; i < THREAD_COUNT; i++)
-     gl_thread_join (threads[i], NULL);
--  reclock_checker_done = 1;
-+  set_atomic_int_value (&reclock_checker_done, 1);
-   gl_thread_join (checkerthread, NULL);
-   check_accounts ();
- }
diff --git a/gnu/packages/patches/libxml2-CVE-2016-4658.patch b/gnu/packages/patches/libxml2-CVE-2016-4658.patch
deleted file mode 100644
index a4e1f31fae..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-4658.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-Fix CVE-2016-4658:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
-
-From c1d1f7121194036608bf555f08d3062a36fd344b Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 18:34:52 +0200
-Subject: [PATCH] Disallow namespace nodes in XPointer ranges
-
-Namespace nodes must be copied to avoid use-after-free errors.
-But they don't necessarily have a physical representation in a
-document, so simply disallow them in XPointer ranges.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-4658.
----
- xpointer.c | 149 +++++++++++++++++++++++--------------------------------------
- 1 file changed, 56 insertions(+), 93 deletions(-)
-
-diff --git a/xpointer.c b/xpointer.c
-index a7b03fbd..694d120e 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -320,6 +320,45 @@ xmlXPtrRangesEqual(xmlXPathObjectPtr range1, xmlXPathObjectPtr range2) {
- }
- 
- /**
-+ * xmlXPtrNewRangeInternal:
-+ * @start:  the starting node
-+ * @startindex:  the start index
-+ * @end:  the ending point
-+ * @endindex:  the ending index
-+ *
-+ * Internal function to create a new xmlXPathObjectPtr of type range
-+ *
-+ * Returns the newly created object.
-+ */
-+static xmlXPathObjectPtr
-+xmlXPtrNewRangeInternal(xmlNodePtr start, int startindex,
-+                        xmlNodePtr end, int endindex) {
-+    xmlXPathObjectPtr ret;
-+
-+    /*
-+     * Namespace nodes must be copied (see xmlXPathNodeSetDupNs).
-+     * Disallow them for now.
-+     */
-+    if ((start != NULL) && (start->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+    if ((end != NULL) && (end->type == XML_NAMESPACE_DECL))
-+	return(NULL);
-+
-+    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
-+    if (ret == NULL) {
-+        xmlXPtrErrMemory("allocating range");
-+	return(NULL);
-+    }
-+    memset(ret, 0, sizeof(xmlXPathObject));
-+    ret->type = XPATH_RANGE;
-+    ret->user = start;
-+    ret->index = startindex;
-+    ret->user2 = end;
-+    ret->index2 = endindex;
-+    return(ret);
-+}
-+
-+/**
-  * xmlXPtrNewRange:
-  * @start:  the starting node
-  * @startindex:  the start index
-@@ -344,17 +383,7 @@ xmlXPtrNewRange(xmlNodePtr start, int startindex,
-     if (endindex < 0)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = startindex;
--    ret->user2 = end;
--    ret->index2 = endindex;
-+    ret = xmlXPtrNewRangeInternal(start, startindex, end, endindex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -381,17 +410,8 @@ xmlXPtrNewRangePoints(xmlXPathObjectPtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end->user,
-+                                  end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -416,17 +436,7 @@ xmlXPtrNewRangePointNode(xmlXPathObjectPtr start, xmlNodePtr end) {
-     if (start->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start->user;
--    ret->index = start->index;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start->user, start->index, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -453,17 +463,7 @@ xmlXPtrNewRangeNodePoint(xmlNodePtr start, xmlXPathObjectPtr end) {
-     if (end->type != XPATH_POINT)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end->user;
--    ret->index2 = end->index;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end->user, end->index);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -486,17 +486,7 @@ xmlXPtrNewRangeNodes(xmlNodePtr start, xmlNodePtr end) {
-     if (end == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = end;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, end, -1);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
-@@ -516,17 +506,7 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-     if (start == NULL)
- 	return(NULL);
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    ret->user2 = NULL;
--    ret->index2 = -1;
-+    ret = xmlXPtrNewRangeInternal(start, -1, NULL, -1);
-     return(ret);
- }
- 
-@@ -541,6 +521,8 @@ xmlXPtrNewCollapsedRange(xmlNodePtr start) {
-  */
- xmlXPathObjectPtr
- xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
-+    xmlNodePtr endNode;
-+    int endIndex;
-     xmlXPathObjectPtr ret;
- 
-     if (start == NULL)
-@@ -549,7 +531,12 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	return(NULL);
-     switch (end->type) {
- 	case XPATH_POINT:
-+	    endNode = end->user;
-+	    endIndex = end->index;
-+	    break;
- 	case XPATH_RANGE:
-+	    endNode = end->user2;
-+	    endIndex = end->index2;
- 	    break;
- 	case XPATH_NODESET:
- 	    /*
-@@ -557,39 +544,15 @@ xmlXPtrNewRangeNodeObject(xmlNodePtr start, xmlXPathObjectPtr end) {
- 	     */
- 	    if (end->nodesetval->nodeNr <= 0)
- 		return(NULL);
-+	    endNode = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
-+	    endIndex = -1;
- 	    break;
- 	default:
- 	    /* TODO */
- 	    return(NULL);
-     }
- 
--    ret = (xmlXPathObjectPtr) xmlMalloc(sizeof(xmlXPathObject));
--    if (ret == NULL) {
--        xmlXPtrErrMemory("allocating range");
--	return(NULL);
--    }
--    memset(ret, 0 , (size_t) sizeof(xmlXPathObject));
--    ret->type = XPATH_RANGE;
--    ret->user = start;
--    ret->index = -1;
--    switch (end->type) {
--	case XPATH_POINT:
--	    ret->user2 = end->user;
--	    ret->index2 = end->index;
--	    break;
--	case XPATH_RANGE:
--	    ret->user2 = end->user2;
--	    ret->index2 = end->index2;
--	    break;
--	case XPATH_NODESET: {
--	    ret->user2 = end->nodesetval->nodeTab[end->nodesetval->nodeNr - 1];
--	    ret->index2 = -1;
--	    break;
--	}
--	default:
--	    STRANGE
--	    return(NULL);
--    }
-+    ret = xmlXPtrNewRangeInternal(start, -1, endNode, endIndex);
-     xmlXPtrRangeCheckOrder(ret);
-     return(ret);
- }
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/libxml2-CVE-2016-5131.patch b/gnu/packages/patches/libxml2-CVE-2016-5131.patch
deleted file mode 100644
index 38938c8e3e..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2016-5131.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-Fix CVE-2016-5131:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131
-
-Patches copied from upstream source repository (the test suite fails
-without the 2nd patch):
-
-https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
-https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
-
-From 9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:22:23 +0200
-Subject: [PATCH] Fix XPointer paths beginning with range-to
-
-The old code would invoke the broken xmlXPtrRangeToFunction. range-to
-isn't really a function but a special kind of location step. Remove
-this function and always handle range-to in the XPath code.
-
-The old xmlXPtrRangeToFunction could also be abused to trigger a
-use-after-free error with the potential for remote code execution.
-
-Found with afl-fuzz.
-
-Fixes CVE-2016-5131.
----
- result/XPath/xptr/vidbase | 13 ++++++++
- test/XPath/xptr/vidbase   |  1 +
- xpath.c                   |  7 ++++-
- xpointer.c                | 76 ++++-------------------------------------------
- 4 files changed, 26 insertions(+), 71 deletions(-)
-
-diff --git a/result/XPath/xptr/vidbase b/result/XPath/xptr/vidbase
-index 8b9e92d6..f19193e7 100644
---- a/result/XPath/xptr/vidbase
-+++ b/result/XPath/xptr/vidbase
-@@ -17,3 +17,16 @@ Object is a Location Set:
-   To node
-     ELEMENT p
- 
-+
-+========================
-+Expression: xpointer(range-to(id('chapter2')))
-+Object is a Location Set:
-+1 :   Object is a range :
-+  From node
-+     /
-+  To node
-+    ELEMENT chapter
-+      ATTRIBUTE id
-+        TEXT
-+          content=chapter2
-+
-diff --git a/test/XPath/xptr/vidbase b/test/XPath/xptr/vidbase
-index b1463830..884b1065 100644
---- a/test/XPath/xptr/vidbase
-+++ b/test/XPath/xptr/vidbase
-@@ -1,2 +1,3 @@
- xpointer(id('chapter1')/p)
- xpointer(id('chapter1')/p[1]/range-to(following-sibling::p[2]))
-+xpointer(range-to(id('chapter2')))
-diff --git a/xpath.c b/xpath.c
-index d992841e..5a01b1b3 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -10691,13 +10691,18 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
- 		    lc = 1;
- 		    break;
- 		} else if ((NXT(len) == '(')) {
--		    /* Note Type or Function */
-+		    /* Node Type or Function */
- 		    if (xmlXPathIsNodeType(name)) {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
- 				"PathExpr: Type search\n");
- #endif
- 			lc = 1;
-+#ifdef LIBXML_XPTR_ENABLED
-+                    } else if (ctxt->xptr &&
-+                               xmlStrEqual(name, BAD_CAST "range-to")) {
-+                        lc = 1;
-+#endif
- 		    } else {
- #ifdef DEBUG_STEP
- 		        xmlGenericError(xmlGenericErrorContext,
-diff --git a/xpointer.c b/xpointer.c
-index 676c5105..d74174a3 100644
---- a/xpointer.c
-+++ b/xpointer.c
-@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
-     ret->here = here;
-     ret->origin = origin;
- 
--    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
--	                 xmlXPtrRangeToFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
- 	                 xmlXPtrRangeFunction);
-     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
-@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
-  * @nargs:  the number of args
-  *
-  * Implement the range-to() XPointer function
-+ *
-+ * Obsolete. range-to is not a real function but a special type of location
-+ * step which is handled in xpath.c.
-  */
- void
--xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
--    xmlXPathObjectPtr range;
--    const xmlChar *cur;
--    xmlXPathObjectPtr res, obj;
--    xmlXPathObjectPtr tmp;
--    xmlLocationSetPtr newset = NULL;
--    xmlNodeSetPtr oldset;
--    int i;
--
--    if (ctxt == NULL) return;
--    CHECK_ARITY(1);
--    /*
--     * Save the expression pointer since we will have to evaluate
--     * it multiple times. Initialize the new set.
--     */
--    CHECK_TYPE(XPATH_NODESET);
--    obj = valuePop(ctxt);
--    oldset = obj->nodesetval;
--    ctxt->context->node = NULL;
--
--    cur = ctxt->cur;
--    newset = xmlXPtrLocationSetCreate(NULL);
--
--    for (i = 0; i < oldset->nodeNr; i++) {
--	ctxt->cur = cur;
--
--	/*
--	 * Run the evaluation with a node list made of a single item
--	 * in the nodeset.
--	 */
--	ctxt->context->node = oldset->nodeTab[i];
--	tmp = xmlXPathNewNodeSet(ctxt->context->node);
--	valuePush(ctxt, tmp);
--
--	xmlXPathEvalExpr(ctxt);
--	CHECK_ERROR;
--
--	/*
--	 * The result of the evaluation need to be tested to
--	 * decided whether the filter succeeded or not
--	 */
--	res = valuePop(ctxt);
--	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
--	if (range != NULL) {
--	    xmlXPtrLocationSetAdd(newset, range);
--	}
--
--	/*
--	 * Cleanup
--	 */
--	if (res != NULL)
--	    xmlXPathFreeObject(res);
--	if (ctxt->value == tmp) {
--	    res = valuePop(ctxt);
--	    xmlXPathFreeObject(res);
--	}
--
--	ctxt->context->node = NULL;
--    }
--
--    /*
--     * The result is used as the new evaluation set.
--     */
--    xmlXPathFreeObject(obj);
--    ctxt->context->node = NULL;
--    ctxt->context->contextSize = -1;
--    ctxt->context->proximityPosition = -1;
--    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
-+xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
-+                       int nargs ATTRIBUTE_UNUSED) {
-+    XP_ERROR(XPATH_EXPR_ERROR);
- }
- 
- /**
--- 
-2.11.0
-
-From a005199330b86dada19d162cae15ef9bdcb6baa8 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 28 Jun 2016 14:19:58 +0200
-Subject: [PATCH] Fix comparison with root node in xmlXPathCmpNodes
-
-This change has already been made in xmlXPathCmpNodesExt but not in
-xmlXPathCmpNodes.
----
- xpath.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xpath.c b/xpath.c
-index 751665b8..d992841e 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
-      * compute depth to root
-      */
-     for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node1)
-+	if (cur->parent == node1)
- 	    return(1);
- 	depth2++;
-     }
-     root = cur;
-     for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
--	if (cur == node2)
-+	if (cur->parent == node2)
- 	    return(-1);
- 	depth1++;
-     }
--- 
-2.11.0
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-0663.patch b/gnu/packages/patches/libxml2-CVE-2017-0663.patch
deleted file mode 100644
index b0277a2d23..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-0663.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix CVE-2017-0663:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0663
-https://security-tracker.debian.org/tracker/CVE-2017-0663
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66
-
-From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 6 Jun 2017 12:56:28 +0200
-Subject: [PATCH] Fix type confusion in xmlValidateOneNamespace
-
-Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
-namespace declarations make no practical sense anyway.
-
-Fixes bug 780228.
-
-Found with libFuzzer and ASan.
----
- valid.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/valid.c b/valid.c
-index 8075d3a0..c51ea290 100644
---- a/valid.c
-+++ b/valid.c
-@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
- 	}
-     }
- 
-+    /*
-+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
-+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
-+     * no practical sense to use ID types anyway.
-+     */
-+#if 0
-     /* Validity Constraint: ID uniqueness */
-     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
-         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
-@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
-         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
- 	    ret = 0;
-     }
-+#endif
- 
-     /* Validity Constraint: Notation Attributes */
-     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-15412.patch b/gnu/packages/patches/libxml2-CVE-2017-15412.patch
deleted file mode 100644
index 07fe190ed1..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-15412.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix CVE-2017-15412:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
-https://bugs.chromium.org/p/chromium/issues/detail?id=727039
-https://bugzilla.redhat.com/show_bug.cgi?id=1523128
-https://bugzilla.gnome.org/show_bug.cgi?id=783160
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
-
-From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Thu, 1 Jun 2017 23:12:19 +0200
-Subject: [PATCH] Fix XPath stack frame logic
-
-Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
-xmlXPathCompOpEvalPositionalPredicate to make sure that the context
-object on the stack is actually protected. Otherwise, memory corruption
-can occur when calling sloppily coded XPath extension functions.
-
-Fixes bug 783160.
----
- xpath.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/xpath.c b/xpath.c
-index 94815075..b816bd36 100644
---- a/xpath.c
-+++ b/xpath.c
-@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
- 		}
- 	    }
- 
--            frame = xmlXPathSetFrame(ctxt);
- 	    valuePush(ctxt, contextObj);
-+            frame = xmlXPathSetFrame(ctxt);
- 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
--            tmp = valuePop(ctxt);
-             xmlXPathPopFrame(ctxt, frame);
-+            tmp = valuePop(ctxt);
- 
- 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
-                 while (tmp != contextObj) {
--- 
-2.15.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7375.patch b/gnu/packages/patches/libxml2-CVE-2017-7375.patch
deleted file mode 100644
index 32af1ff6ba..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-7375.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-7375:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7375
-https://security-tracker.debian.org/tracker/CVE-2017-7375
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e
-
-From 90ccb58242866b0ba3edbef8fe44214a101c2b3e Mon Sep 17 00:00:00 2001
-From: Neel Mehta <nmehta@google.com>
-Date: Fri, 7 Apr 2017 17:43:02 +0200
-Subject: [PATCH] Prevent unwanted external entity reference
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780691
-
-* parser.c: add a specific check to avoid PE reference
----
- parser.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/parser.c b/parser.c
-index 609a2703..c2c812de 100644
---- a/parser.c
-+++ b/parser.c
-@@ -8123,6 +8123,15 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
- 	    if (xmlPushInput(ctxt, input) < 0)
- 		return;
- 	} else {
-+	    if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) &&
-+	        ((ctxt->options & XML_PARSE_NOENT) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDVALID) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDLOAD) == 0) &&
-+		((ctxt->options & XML_PARSE_DTDATTR) == 0) &&
-+		(ctxt->replaceEntities == 0) &&
-+		(ctxt->validate == 0))
-+		return;
-+
- 	    /*
- 	     * TODO !!!
- 	     * handle the extra spaces added before and after
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-7376.patch b/gnu/packages/patches/libxml2-CVE-2017-7376.patch
deleted file mode 100644
index 5b9e45bd83..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-7376.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-Fix CVE-2017-7376:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7376
-https://security-tracker.debian.org/tracker/CVE-2017-7376
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e
-
-From 5dca9eea1bd4263bfa4d037ab2443de1cd730f7e Mon Sep 17 00:00:00 2001
-From: Daniel Veillard <veillard@redhat.com>
-Date: Fri, 7 Apr 2017 17:13:28 +0200
-Subject: [PATCH] Increase buffer space for port in HTTP redirect support
-
-For https://bugzilla.gnome.org/show_bug.cgi?id=780690
-
-nanohttp.c: the code wrongly assumed a short int port value.
----
- nanohttp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/nanohttp.c b/nanohttp.c
-index e109ad75..373425de 100644
---- a/nanohttp.c
-+++ b/nanohttp.c
-@@ -1423,9 +1423,9 @@ retry:
-     if (ctxt->port != 80) {
- 	/* reserve space for ':xxxxx', incl. potential proxy */
- 	if (proxy)
--	    blen += 12;
-+	    blen += 17;
- 	else
--	    blen += 6;
-+	    blen += 11;
-     }
-     bp = (char*)xmlMallocAtomic(blen);
-     if ( bp == NULL ) {
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch b/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
deleted file mode 100644
index 0a0e6d34cf..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Fix CVE-2017-{9047,9048}:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not yet public)
-https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9047
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048
-http://www.openwall.com/lists/oss-security/2017/05/15/1
-https://security-tracker.debian.org/tracker/CVE-2017-9047
-https://security-tracker.debian.org/tracker/CVE-2017-9048
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
-
-From 932cc9896ab41475d4aa429c27d9afd175959d74 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Sat, 3 Jun 2017 02:01:29 +0200
-Subject: [PATCH] Fix buffer size checks in xmlSnprintfElementContent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-xmlSnprintfElementContent failed to correctly check the available
-buffer space in two locations.
-
-Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
-
-Thanks to Marcel Böhme and Thuan Pham for the report.
----
- result/valid/781333.xml         |  5 +++++
- result/valid/781333.xml.err     |  3 +++
- result/valid/781333.xml.err.rdr |  6 ++++++
- test/valid/781333.xml           |  4 ++++
- valid.c                         | 20 +++++++++++---------
- 5 files changed, 29 insertions(+), 9 deletions(-)
- create mode 100644 result/valid/781333.xml
- create mode 100644 result/valid/781333.xml.err
- create mode 100644 result/valid/781333.xml.err.rdr
- create mode 100644 test/valid/781333.xml
-
-diff --git a/result/valid/781333.xml b/result/valid/781333.xml
-new file mode 100644
-index 00000000..45dc451d
---- /dev/null
-+++ b/result/valid/781333.xml
-@@ -0,0 +1,5 @@
-+<?xml version="1.0"?>
-+<!DOCTYPE a [
-+<!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/result/valid/781333.xml.err b/result/valid/781333.xml.err
-new file mode 100644
-index 00000000..b401b49a
---- /dev/null
-+++ b/result/valid/781333.xml.err
-@@ -0,0 +1,3 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
-+<a/>
-+    ^
-diff --git a/result/valid/781333.xml.err.rdr b/result/valid/781333.xml.err.rdr
-new file mode 100644
-index 00000000..5ff56992
---- /dev/null
-+++ b/result/valid/781333.xml.err.rdr
-@@ -0,0 +1,6 @@
-+./test/valid/781333.xml:4: element a: validity error : Element a content does not follow the DTD, expecting ( ..., got 
-+<a/>
-+    ^
-+./test/valid/781333.xml:5: element a: validity error : Element a content does not follow the DTD, Expecting more child
-+
-+^
-diff --git a/test/valid/781333.xml b/test/valid/781333.xml
-new file mode 100644
-index 00000000..b29e5a68
---- /dev/null
-+++ b/test/valid/781333.xml
-@@ -0,0 +1,4 @@
-+<!DOCTYPE a [
-+    <!ELEMENT a (pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp:llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll)>
-+]>
-+<a/>
-diff --git a/valid.c b/valid.c
-index 19f84b82..9b2df56a 100644
---- a/valid.c
-+++ b/valid.c
-@@ -1262,22 +1262,23 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
-         case XML_ELEMENT_CONTENT_PCDATA:
-             strcat(buf, "#PCDATA");
- 	    break;
--	case XML_ELEMENT_CONTENT_ELEMENT:
-+	case XML_ELEMENT_CONTENT_ELEMENT: {
-+            int qnameLen = xmlStrlen(content->name);
-+
-+	    if (content->prefix != NULL)
-+                qnameLen += xmlStrlen(content->prefix) + 1;
-+	    if (size - len < qnameLen + 10) {
-+		strcat(buf, " ...");
-+		return;
-+	    }
- 	    if (content->prefix != NULL) {
--		if (size - len < xmlStrlen(content->prefix) + 10) {
--		    strcat(buf, " ...");
--		    return;
--		}
- 		strcat(buf, (char *) content->prefix);
- 		strcat(buf, ":");
- 	    }
--	    if (size - len < xmlStrlen(content->name) + 10) {
--		strcat(buf, " ...");
--		return;
--	    }
- 	    if (content->name != NULL)
- 		strcat(buf, (char *) content->name);
- 	    break;
-+        }
- 	case XML_ELEMENT_CONTENT_SEQ:
- 	    if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- 	        (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
-@@ -1319,6 +1320,7 @@ xmlSnprintfElementContent(char *buf, int size, xmlElementContentPtr content, int
- 		xmlSnprintfElementContent(buf, size, content->c2, 0);
- 	    break;
-     }
-+    if (size - strlen(buf) <= 2) return;
-     if (englob)
-         strcat(buf, ")");
-     switch (content->ocur) {
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch b/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
deleted file mode 100644
index 890e9c2284..0000000000
--- a/gnu/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch
+++ /dev/null
@@ -1,319 +0,0 @@
-Fix CVE-2017-{9049,9050}:
-
-https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not yet public)
-https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not yet public)
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
-http://www.openwall.com/lists/oss-security/2017/05/15/1
-https://security-tracker.debian.org/tracker/CVE-2017-9049
-https://security-tracker.debian.org/tracker/CVE-2017-9050
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
-
-Changes to 'runtest.c' are removed since they introduce test failure
-when applying to libxml2 2.9.4 release tarball.
-
-From e26630548e7d138d2c560844c43820b6767251e3 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 5 Jun 2017 15:37:17 +0200
-Subject: [PATCH] Fix handling of parameter-entity references
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There were two bugs where parameter-entity references could lead to an
-unexpected change of the input buffer in xmlParseNameComplex and
-xmlDictLookup being called with an invalid pointer.
-
-Percent sign in DTD Names
-=========================
-
-The NEXTL macro used to call xmlParserHandlePEReference. When parsing
-"complex" names inside the DTD, this could result in entity expansion
-which created a new input buffer. The fix is to simply remove the call
-to xmlParserHandlePEReference from the NEXTL macro. This is safe because
-no users of the macro require expansion of parameter entities.
-
-- xmlParseNameComplex
-- xmlParseNCNameComplex
-- xmlParseNmtoken
-
-The percent sign is not allowed in names, which are grammatical tokens.
-
-- xmlParseEntityValue
-
-Parameter-entity references in entity values are expanded but this
-happens in a separate step in this function.
-
-- xmlParseSystemLiteral
-
-Parameter-entity references are ignored in the system literal.
-
-- xmlParseAttValueComplex
-- xmlParseCharDataComplex
-- xmlParseCommentComplex
-- xmlParsePI
-- xmlParseCDSect
-
-Parameter-entity references are ignored outside the DTD.
-
-- xmlLoadEntityContent
-
-This function is only called from xmlStringLenDecodeEntities and
-entities are replaced in a separate step immediately after the function
-call.
-
-This bug could also be triggered with an internal subset and double
-entity expansion.
-
-This fixes bug 766956 initially reported by Wei Lei and independently by
-Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
-involved.
-
-xmlParseNameComplex with XML_PARSE_OLD10
-========================================
-
-When parsing Names inside an expanded parameter entity with the
-XML_PARSE_OLD10 option, xmlParseNameComplex would call xmlGROW via the
-GROW macro if the input buffer was exhausted. At the end of the
-parameter entity's replacement text, this function would then call
-xmlPopInput which invalidated the input buffer.
-
-There should be no need to invoke GROW in this situation because the
-buffer is grown periodically every XML_PARSER_CHUNK_SIZE characters and,
-at least for UTF-8, in xmlCurrentChar. This also matches the code path
-executed when XML_PARSE_OLD10 is not set.
-
-This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
-Thanks to Marcel Böhme and Thuan Pham for the report.
-
-Additional hardening
-====================
-
-A separate check was added in xmlParseNameComplex to validate the
-buffer size.
----
- Makefile.am                     | 18 ++++++++++++++++++
- parser.c                        | 18 ++++++++++--------
- result/errors10/781205.xml      |  0
- result/errors10/781205.xml.err  | 21 +++++++++++++++++++++
- result/errors10/781361.xml      |  0
- result/errors10/781361.xml.err  | 13 +++++++++++++
- result/valid/766956.xml         |  0
- result/valid/766956.xml.err     |  9 +++++++++
- result/valid/766956.xml.err.rdr | 10 ++++++++++
- runtest.c                       |  3 +++
- test/errors10/781205.xml        |  3 +++
- test/errors10/781361.xml        |  3 +++
- test/valid/766956.xml           |  2 ++
- test/valid/dtds/766956.dtd      |  2 ++
- 14 files changed, 94 insertions(+), 8 deletions(-)
- create mode 100644 result/errors10/781205.xml
- create mode 100644 result/errors10/781205.xml.err
- create mode 100644 result/errors10/781361.xml
- create mode 100644 result/errors10/781361.xml.err
- create mode 100644 result/valid/766956.xml
- create mode 100644 result/valid/766956.xml.err
- create mode 100644 result/valid/766956.xml.err.rdr
- create mode 100644 test/errors10/781205.xml
- create mode 100644 test/errors10/781361.xml
- create mode 100644 test/valid/766956.xml
- create mode 100644 test/valid/dtds/766956.dtd
-
-diff --git a/Makefile.am b/Makefile.am
-index 6fc8ffa9..10e716a5 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -427,6 +427,24 @@ Errtests : xmllint$(EXEEXT)
- 	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
- 	      rm result.$$name error.$$name ; \
- 	  fi ; fi ; done)
-+	@echo "## Error cases regression tests (old 1.0)"
-+	-@(for i in $(srcdir)/test/errors10/*.xml ; do \
-+	  name=`basename $$i`; \
-+	  if [ ! -d $$i ] ; then \
-+	  if [ ! -f $(srcdir)/result/errors10/$$name ] ; then \
-+	      echo New test file $$name ; \
-+	      $(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i \
-+	         2> $(srcdir)/result/errors10/$$name.err \
-+		 > $(srcdir)/result/errors10/$$name ; \
-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
-+	  else \
-+	      log=`$(CHECKER) $(top_builddir)/xmllint --oldxml10 $$i 2> error.$$name > result.$$name ; \
-+	      grep "MORY ALLO" .memdump  | grep -v "MEMORY ALLOCATED : 0"; \
-+	      diff $(srcdir)/result/errors10/$$name result.$$name ; \
-+	      diff $(srcdir)/result/errors10/$$name.err error.$$name` ; \
-+	      if [ -n "$$log" ] ; then echo $$name result ; echo "$$log" ; fi ; \
-+	      rm result.$$name error.$$name ; \
-+	  fi ; fi ; done)
- 	@echo "## Error cases stream regression tests"
- 	-@(for i in $(srcdir)/test/errors/*.xml ; do \
- 	  name=`basename $$i`; \
-diff --git a/parser.c b/parser.c
-index df2efa55..a175ac4e 100644
---- a/parser.c
-+++ b/parser.c
-@@ -2121,7 +2121,6 @@ static void xmlGROW (xmlParserCtxtPtr ctxt) {
- 	ctxt->input->line++; ctxt->input->col = 1;			\
-     } else ctxt->input->col++;						\
-     ctxt->input->cur += l;				\
--    if (*ctxt->input->cur == '%') xmlParserHandlePEReference(ctxt);	\
-   } while (0)
- 
- #define CUR_CHAR(l) xmlCurrentChar(ctxt, &l)
-@@ -3412,13 +3411,6 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
- 	    len += l;
- 	    NEXTL(l);
- 	    c = CUR_CHAR(l);
--	    if (c == 0) {
--		count = 0;
--		GROW;
--                if (ctxt->instate == XML_PARSER_EOF)
--                    return(NULL);
--		c = CUR_CHAR(l);
--	    }
- 	}
-     }
-     if ((len > XML_MAX_NAME_LENGTH) &&
-@@ -3426,6 +3418,16 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) {
-         xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name");
-         return(NULL);
-     }
-+    if (ctxt->input->cur - ctxt->input->base < len) {
-+        /*
-+         * There were a couple of bugs where PERefs lead to to a change
-+         * of the buffer. Check the buffer size to avoid passing an invalid
-+         * pointer to xmlDictLookup.
-+         */
-+        xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
-+                    "unexpected change of input buffer");
-+        return (NULL);
-+    }
-     if ((*ctxt->input->cur == '\n') && (ctxt->input->cur[-1] == '\r'))
-         return(xmlDictLookup(ctxt->dict, ctxt->input->cur - (len + 1), len));
-     return(xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));
-diff --git a/result/errors10/781205.xml b/result/errors10/781205.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781205.xml.err b/result/errors10/781205.xml.err
-new file mode 100644
-index 00000000..da15c3f7
---- /dev/null
-+++ b/result/errors10/781205.xml.err
-@@ -0,0 +1,21 @@
-+Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+Entity: line 1: parser error : DOCTYPE improperly terminated
-+ %a; 
-+    ^
-+Entity: line 1: 
-+<:0000
-+^
-+namespace error : Failed to parse QName ':0000'
-+ %a; 
-+    ^
-+<:0000
-+      ^
-+./test/errors10/781205.xml:4: parser error : Couldn't find end of Start Tag :0000 line 1
-+
-+^
-diff --git a/result/errors10/781361.xml b/result/errors10/781361.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/errors10/781361.xml.err b/result/errors10/781361.xml.err
-new file mode 100644
-index 00000000..655f41a2
---- /dev/null
-+++ b/result/errors10/781361.xml.err
-@@ -0,0 +1,13 @@
-+./test/errors10/781361.xml:4: parser error : xmlParseElementDecl: 'EMPTY', 'ANY' or '(' expected
-+
-+^
-+./test/errors10/781361.xml:4: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration
-+
-+
-+^
-+./test/errors10/781361.xml:4: parser error : DOCTYPE improperly terminated
-+
-+^
-+./test/errors10/781361.xml:4: parser error : Start tag expected, '<' not found
-+
-+^
-diff --git a/result/valid/766956.xml b/result/valid/766956.xml
-new file mode 100644
-index 00000000..e69de29b
-diff --git a/result/valid/766956.xml.err b/result/valid/766956.xml.err
-new file mode 100644
-index 00000000..34b1dae6
---- /dev/null
-+++ b/result/valid/766956.xml.err
-@@ -0,0 +1,9 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-diff --git a/result/valid/766956.xml.err.rdr b/result/valid/766956.xml.err.rdr
-new file mode 100644
-index 00000000..77603462
---- /dev/null
-+++ b/result/valid/766956.xml.err.rdr
-@@ -0,0 +1,10 @@
-+test/valid/dtds/766956.dtd:2: parser error : PEReference: expecting ';'
-+%ä%ent;
-+   ^
-+Entity: line 1: parser error : Content error in the external subset
-+ %ent; 
-+      ^
-+Entity: line 1: 
-+value
-+^
-+./test/valid/766956.xml : failed to parse
-diff --git a/test/errors10/781205.xml b/test/errors10/781205.xml
-new file mode 100644
-index 00000000..d9e9e839
---- /dev/null
-+++ b/test/errors10/781205.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE D [
-+  <!ENTITY % a "<:0000">
-+  %a;
-diff --git a/test/errors10/781361.xml b/test/errors10/781361.xml
-new file mode 100644
-index 00000000..67476bcb
---- /dev/null
-+++ b/test/errors10/781361.xml
-@@ -0,0 +1,3 @@
-+<!DOCTYPE doc [
-+  <!ENTITY % elem "<!ELEMENT e0000000000">
-+  %elem;
-diff --git a/test/valid/766956.xml b/test/valid/766956.xml
-new file mode 100644
-index 00000000..19a95a0e
---- /dev/null
-+++ b/test/valid/766956.xml
-@@ -0,0 +1,2 @@
-+<!DOCTYPE test SYSTEM "dtds/766956.dtd">
-+<test/>
-diff --git a/test/valid/dtds/766956.dtd b/test/valid/dtds/766956.dtd
-new file mode 100644
-index 00000000..dddde68b
---- /dev/null
-+++ b/test/valid/dtds/766956.dtd
-@@ -0,0 +1,2 @@
-+<!ENTITY % ent "value">
-+%ä%ent;
--- 
-2.14.1
-
diff --git a/gnu/packages/patches/libxslt-CVE-2016-4738.patch b/gnu/packages/patches/libxslt-CVE-2016-4738.patch
deleted file mode 100644
index a7537c66ca..0000000000
--- a/gnu/packages/patches/libxslt-CVE-2016-4738.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-Fix CVE-2016-4738:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4738
-https://bugs.chromium.org/p/chromium/issues/detail?id=619006
-
-Patch copied from upstream source repository:
-https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
-
-From eb1030de31165b68487f288308f9d1810fed6880 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Fri, 10 Jun 2016 14:23:58 +0200
-Subject: [PATCH] Fix heap overread in xsltFormatNumberConversion
-
-An empty decimal-separator could cause a heap overread. This can be
-exploited to leak a couple of bytes after the buffer that holds the
-pattern string.
-
-Found with afl-fuzz and ASan.
----
- libxslt/numbers.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index d1549b4..e78c46b 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -1090,7 +1090,8 @@ xsltFormatNumberConversion(xsltDecimalFormatPtr self,
-     }
- 
-     /* We have finished the integer part, now work on fraction */
--    if (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) {
-+    if ( (*the_format != 0) &&
-+         (xsltUTF8Charcmp(the_format, self->decimalPoint) == 0) ) {
-         format_info.add_decimal = TRUE;
- 	the_format += xsltUTF8Size(the_format);	/* Skip over the decimal */
-     }
--- 
-2.10.2
-
diff --git a/gnu/packages/patches/libxslt-CVE-2017-5029.patch b/gnu/packages/patches/libxslt-CVE-2017-5029.patch
deleted file mode 100644
index cd86928b21..0000000000
--- a/gnu/packages/patches/libxslt-CVE-2017-5029.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-Fix CVE-2017-5029:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029
-
-Patch copied from upstream source repository:
-
-https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5
-
-From 08ab2774b870de1c7b5a48693df75e8154addae5 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Thu, 12 Jan 2017 15:39:52 +0100
-Subject: [PATCH] Check for integer overflow in xsltAddTextString
-
-Limit buffer size in xsltAddTextString to INT_MAX. The issue can be
-exploited to trigger an out of bounds write on 64-bit systems.
-
-Originally reported to Chromium:
-
-https://crbug.com/676623
----
- libxslt/transform.c     | 25 ++++++++++++++++++++++---
- libxslt/xsltInternals.h |  4 ++--
- 2 files changed, 24 insertions(+), 5 deletions(-)
-
-diff --git a/libxslt/transform.c b/libxslt/transform.c
-index 519133fc..02bff34a 100644
---- a/libxslt/transform.c
-+++ b/libxslt/transform.c
-@@ -813,13 +813,32 @@ xsltAddTextString(xsltTransformContextPtr ctxt, xmlNodePtr target,
-         return(target);
- 
-     if (ctxt->lasttext == target->content) {
-+        int minSize;
- 
--	if (ctxt->lasttuse + len >= ctxt->lasttsize) {
-+        /* Check for integer overflow accounting for NUL terminator. */
-+        if (len >= INT_MAX - ctxt->lasttuse) {
-+            xsltTransformError(ctxt, NULL, target,
-+                "xsltCopyText: text allocation failed\n");
-+            return(NULL);
-+        }
-+        minSize = ctxt->lasttuse + len + 1;
-+
-+        if (ctxt->lasttsize < minSize) {
- 	    xmlChar *newbuf;
- 	    int size;
-+            int extra;
-+
-+            /* Double buffer size but increase by at least 100 bytes. */
-+            extra = minSize < 100 ? 100 : minSize;
-+
-+            /* Check for integer overflow. */
-+            if (extra > INT_MAX - ctxt->lasttsize) {
-+                size = INT_MAX;
-+            }
-+            else {
-+                size = ctxt->lasttsize + extra;
-+            }
- 
--	    size = ctxt->lasttsize + len + 100;
--	    size *= 2;
- 	    newbuf = (xmlChar *) xmlRealloc(target->content,size);
- 	    if (newbuf == NULL) {
- 		xsltTransformError(ctxt, NULL, target,
-diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
-index 060b1783..5ad17719 100644
---- a/libxslt/xsltInternals.h
-+++ b/libxslt/xsltInternals.h
-@@ -1754,8 +1754,8 @@ struct _xsltTransformContext {
-      * Speed optimization when coalescing text nodes
-      */
-     const xmlChar  *lasttext;		/* last text node content */
--    unsigned int    lasttsize;		/* last text node size */
--    unsigned int    lasttuse;		/* last text node use */
-+    int             lasttsize;		/* last text node size */
-+    int             lasttuse;		/* last text node use */
-     /*
-      * Per Context Debugging
-      */
--- 
-2.15.1
-
diff --git a/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch b/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch
deleted file mode 100644
index 1f1b26801d..0000000000
--- a/gnu/packages/patches/ncurses-CVE-2017-10684-10685.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-Fix CVE-2017-10684 and CVE-2017-10685:
-
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685
-
-Bug reports included proof of concept reproducer inputs:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1464684
-https://bugzilla.redhat.com/show_bug.cgi?id=1464685
-https://bugzilla.redhat.com/show_bug.cgi?id=1464686
-https://bugzilla.redhat.com/show_bug.cgi?id=1464687
-https://bugzilla.redhat.com/show_bug.cgi?id=1464688
-https://bugzilla.redhat.com/show_bug.cgi?id=1464691
-https://bugzilla.redhat.com/show_bug.cgi?id=1464692
-
-Patches copied from ncurses patch release 20170701:
-
-ftp://invisible-island.net/ncurses/6.0/ncurses-6.0-20170701.patch.gz
-
-Excerpt from patch release announcement:
-
- + add/improve checks in tic's parser to address invalid input
-   (Redhat #1464684, #1464685, #1464686, #1464691).
-   + alloc_entry.c, add a check for a null-pointer.
-   + parse_entry.c, add several checks for valid pointers as well as
-     one check to ensure that a single character on a line is not
-     treated as the 2-character termcap short-name.
- + the fixes for Redhat #1464685 obscured a problem subsequently
-   reported in Redhat #1464687; the given test-case was no longer
-   reproducible.  Testing without the fixes for the earlier reports
-   showed a problem with buffer overflow in dump_entry.c, which is
-   addressed by reducing the use of a fixed-size buffer.
-
-https://lists.gnu.org/archive/html/bug-ncurses/2017-07/msg00001.html
-
---- ncurses-6.0-20170624+/ncurses/tinfo/alloc_entry.c	2017-04-09 23:33:51.000000000 +0000
-+++ ncurses-6.0-20170701/ncurses/tinfo/alloc_entry.c	2017-06-27 23:48:55.000000000 +0000
-@@ -96,7 +96,11 @@
- {
-     char *result = 0;
-     size_t old_next_free = next_free;
--    size_t len = strlen(string) + 1;
-+    size_t len;
-+
-+    if (string == 0)
-+	return _nc_save_str("");
-+    len = strlen(string) + 1;
- 
-     if (len == 1 && next_free != 0) {
- 	/*
---- ncurses-6.0-20170624+/ncurses/tinfo/parse_entry.c	2017-06-24 22:59:46.000000000 +0000
-+++ ncurses-6.0-20170701/ncurses/tinfo/parse_entry.c	2017-06-28 00:53:12.000000000 +0000
-@@ -236,13 +236,14 @@
-      * implemented it.  Note that the resulting terminal type was never the
-      * 2-character name, but was instead the first alias after that.
-      */
-+#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
-     ptr = _nc_curr_token.tk_name;
-     if (_nc_syntax == SYN_TERMCAP
- #if NCURSES_XNAMES
- 	&& !_nc_user_definable
- #endif
- 	) {
--	if (ptr[2] == '|') {
-+	if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
- 	    ptr += 3;
- 	    _nc_curr_token.tk_name[2] = '\0';
- 	}
-@@ -284,9 +285,11 @@
- 	if (is_use || is_tc) {
- 	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
- 	    entryp->uses[entryp->nuses].line = _nc_curr_line;
--	    entryp->nuses++;
--	    if (entryp->nuses > 1 && is_tc) {
--		BAD_TC_USAGE
-+	    if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
-+		entryp->nuses++;
-+		if (entryp->nuses > 1 && is_tc) {
-+		    BAD_TC_USAGE
-+		}
- 	    }
- 	} else {
- 	    /* normal token lookup */
-@@ -588,7 +591,7 @@
- static void
- append_acs(string_desc * dst, int code, char *src)
- {
--    if (src != 0 && strlen(src) == 1) {
-+    if (VALID_STRING(src) && strlen(src) == 1) {
- 	append_acs0(dst, code, *src);
-     }
- }
-@@ -849,15 +852,14 @@
- 	    }
- 
- 	    if (tp->Strings[to_ptr->nte_index]) {
-+		const char *s = tp->Strings[from_ptr->nte_index];
-+		const char *t = tp->Strings[to_ptr->nte_index];
- 		/* There's no point in warning about it if it's the same
- 		 * string; that's just an inefficiency.
- 		 */
--		if (strcmp(
--			      tp->Strings[from_ptr->nte_index],
--			      tp->Strings[to_ptr->nte_index]) != 0)
-+		if (VALID_STRING(s) && VALID_STRING(t) && strcmp(s, t) != 0)
- 		    _nc_warning("%s (%s) already has an explicit value %s, ignoring ko",
--				ap->to, ap->from,
--				_nc_visbuf(tp->Strings[to_ptr->nte_index]));
-+				ap->to, ap->from, t);
- 		continue;
- 	    }
- 
---- ncurses-6.0-20170624+/progs/dump_entry.c	2017-06-23 22:47:43.000000000 +0000
-+++ ncurses-6.0-20170701/progs/dump_entry.c	2017-07-01 11:27:29.000000000 +0000
-@@ -841,9 +841,10 @@
-     PredIdx num_strings = 0;
-     bool outcount = 0;
- 
--#define WRAP_CONCAT	\
--	wrap_concat(buffer); \
--	outcount = TRUE
-+#define WRAP_CONCAT1(s)		wrap_concat(s); outcount = TRUE
-+#define WRAP_CONCAT2(a,b)	wrap_concat(a); WRAP_CONCAT1(b)
-+#define WRAP_CONCAT3(a,b,c)	wrap_concat(a); WRAP_CONCAT2(b,c)
-+#define WRAP_CONCAT		WRAP_CONCAT1(buffer)
- 
-     len = 12;			/* terminfo file-header */
- 
-@@ -1007,9 +1008,9 @@
- 		    set_attributes = save_sgr;
- 
- 		    trimmed_sgr0 = _nc_trim_sgr0(tterm);
--		    if (strcmp(capability, trimmed_sgr0))
-+		    if (strcmp(capability, trimmed_sgr0)) {
- 			capability = trimmed_sgr0;
--		    else {
-+		    } else {
- 			if (trimmed_sgr0 != exit_attribute_mode)
- 			    free(trimmed_sgr0);
- 		    }
-@@ -1046,13 +1047,21 @@
- 			_nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
- 				    "%s=!!! %s WILL NOT CONVERT !!!",
- 				    name, srccap);
-+			WRAP_CONCAT;
- 		    } else if (suppress_untranslatable) {
- 			continue;
- 		    } else {
- 			char *s = srccap, *d = buffer;
--			_nc_SPRINTF(d, _nc_SLIMIT(sizeof(buffer)) "..%s=", name);
--			d += strlen(d);
-+			WRAP_CONCAT3("..", name, "=");
- 			while ((*d = *s++) != 0) {
-+			    if ((d - buffer - 1) >= (int) sizeof(buffer)) {
-+				fprintf(stderr,
-+					"%s: value for %s is too long\n",
-+					_nc_progname,
-+					name);
-+				*d = '\0';
-+				break;
-+			    }
- 			    if (*d == ':') {
- 				*d++ = '\\';
- 				*d = ':';
-@@ -1061,13 +1070,12 @@
- 			    }
- 			    d++;
- 			}
-+			WRAP_CONCAT;
- 		    }
- 		} else {
--		    _nc_SPRINTF(buffer, _nc_SLIMIT(sizeof(buffer))
--				"%s=%s", name, cv);
-+		    WRAP_CONCAT3(name, "=", cv);
- 		}
- 		len += (int) strlen(capability) + 1;
--		WRAP_CONCAT;
- 	    } else {
- 		char *src = _nc_tic_expand(capability,
- 					   outform == F_TERMINFO, numbers);
-@@ -1083,8 +1091,7 @@
- 		    strcpy_DYN(&tmpbuf, src);
- 		}
- 		len += (int) strlen(capability) + 1;
--		wrap_concat(tmpbuf.text);
--		outcount = TRUE;
-+		WRAP_CONCAT1(tmpbuf.text);
- 	    }
- 	}
- 	/* e.g., trimmed_sgr0 */
-@@ -1526,7 +1533,8 @@
- 		}
- 		if (len > critlen) {
- 		    (void) fprintf(stderr,
--				   "warning: %s entry is %d bytes long\n",
-+				   "%s: %s entry is %d bytes long\n",
-+				   _nc_progname,
- 				   _nc_first_name(tterm->term_names),
- 				   len);
- 		    SHOW_WHY("# WARNING: this entry, %d bytes long, may core-dump %s libraries!\n",
diff --git a/gnu/packages/patches/nfs-utils-missing-headers.patch b/gnu/packages/patches/nfs-utils-missing-headers.patch
new file mode 100644
index 0000000000..7f0542836e
--- /dev/null
+++ b/gnu/packages/patches/nfs-utils-missing-headers.patch
@@ -0,0 +1,19 @@
+Fix compilation failure with glibc 2.26 caused by missing type
+declarations:
+
+------
+rpc.c: In function ‘nsm_recv_getport’:
+rpc.c:469:13: error: ‘UINT16_MAX’ undeclared (first use in this function)
+  if (port > UINT16_MAX) {
+------
+
+--- a/support/nsm/rpc.c.orig	2016-08-03 20:25:15.000000000 +0200
++++ b/support/nsm/rpc.c	2017-08-26 07:41:11.884000000 +0200
+@@ -40,6 +40,7 @@
+ 
+ #include <time.h>
+ #include <stdbool.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <unistd.h>
+ #include <fcntl.h>
diff --git a/gnu/packages/patches/node-test-http2-server-rst-stream.patch b/gnu/packages/patches/node-test-http2-server-rst-stream.patch
deleted file mode 100644
index c2f85010b1..0000000000
--- a/gnu/packages/patches/node-test-http2-server-rst-stream.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From a41cc020fd6e40b358103425edfa50e6a10fc973 Mon Sep 17 00:00:00 2001
-From: Anatoli Papirovski <apapirovski@mac.com>
-Date: Thu, 2 Nov 2017 12:46:31 -0400
-Subject: [PATCH] test: fix flaky test-http2-server-rst-stream.js
-
-PR-URL: https://github.com/nodejs/node/pull/16690
-Fixes: https://github.com/nodejs/node/issues/16688
-Reviewed-By: James M Snell <jasnell@gmail.com>
-Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
----
- test/parallel/test-http2-server-rst-stream.js | 93 ++++++++++-----------------
- 1 file changed, 35 insertions(+), 58 deletions(-)
-
-diff --git a/test/parallel/test-http2-server-rst-stream.js b/test/parallel/test-http2-server-rst-stream.js
-index b92217dc99..dd38efb42f 100644
---- a/test/parallel/test-http2-server-rst-stream.js
-+++ b/test/parallel/test-http2-server-rst-stream.js
-@@ -5,11 +5,9 @@ if (!common.hasCrypto)
-   common.skip('missing crypto');
- const assert = require('assert');
- const http2 = require('http2');
-+const Countdown = require('../common/countdown');
- 
- const {
--  HTTP2_HEADER_METHOD,
--  HTTP2_HEADER_PATH,
--  HTTP2_METHOD_POST,
-   NGHTTP2_CANCEL,
-   NGHTTP2_NO_ERROR,
-   NGHTTP2_PROTOCOL_ERROR,
-@@ -17,63 +15,42 @@ const {
-   NGHTTP2_INTERNAL_ERROR
- } = http2.constants;
- 
--const errCheck = common.expectsError({ code: 'ERR_HTTP2_STREAM_ERROR' }, 6);
-+const tests = [
-+  ['rstStream', NGHTTP2_NO_ERROR, false],
-+  ['rstWithNoError', NGHTTP2_NO_ERROR, false],
-+  ['rstWithProtocolError', NGHTTP2_PROTOCOL_ERROR, true],
-+  ['rstWithCancel', NGHTTP2_CANCEL, false],
-+  ['rstWithRefuse', NGHTTP2_REFUSED_STREAM, true],
-+  ['rstWithInternalError', NGHTTP2_INTERNAL_ERROR, true]
-+];
-+
-+const server = http2.createServer();
-+server.on('stream', (stream, headers) => {
-+  const method = headers['rstmethod'];
-+  stream[method]();
-+});
-+
-+server.listen(0, common.mustCall(() => {
-+  const client = http2.connect(`http://localhost:${server.address().port}`);
-+
-+  const countdown = new Countdown(tests.length, common.mustCall(() => {
-+    client.destroy();
-+    server.close();
-+  }));
- 
--function checkRstCode(rstMethod, expectRstCode) {
--  const server = http2.createServer();
--  server.on('stream', (stream, headers, flags) => {
--    stream.respond({
--      'content-type': 'text/html',
--      ':status': 200
-+  tests.forEach((test) => {
-+    const req = client.request({
-+      ':method': 'POST',
-+      rstmethod: test[0]
-     });
--    stream.write('test');
--    if (rstMethod === 'rstStream')
--      stream[rstMethod](expectRstCode);
--    else
--      stream[rstMethod]();
--
--    if (expectRstCode !== NGHTTP2_NO_ERROR &&
--        expectRstCode !== NGHTTP2_CANCEL) {
--      stream.on('error', common.mustCall(errCheck));
--    } else {
--      stream.on('error', common.mustNotCall());
--    }
--  });
--
--  server.listen(0, common.mustCall(() => {
--    const port = server.address().port;
--    const client = http2.connect(`http://localhost:${port}`);
--
--    const headers = {
--      [HTTP2_HEADER_PATH]: '/',
--      [HTTP2_HEADER_METHOD]: HTTP2_METHOD_POST
--    };
--    const req = client.request(headers);
--
--    req.setEncoding('utf8');
--    req.on('streamClosed', common.mustCall((actualRstCode) => {
--      assert.strictEqual(
--        expectRstCode, actualRstCode, `${rstMethod} is not match rstCode`);
--      server.close();
--      client.destroy();
-+    req.on('streamClosed', common.mustCall((code) => {
-+      assert.strictEqual(code, test[1]);
-+      countdown.dec();
-     }));
--    req.on('data', common.mustCall());
-     req.on('aborted', common.mustCall());
--    req.on('end', common.mustCall());
--
--    if (expectRstCode !== NGHTTP2_NO_ERROR &&
--        expectRstCode !== NGHTTP2_CANCEL) {
--      req.on('error', common.mustCall(errCheck));
--    } else {
-+    if (test[2])
-+      req.on('error', common.mustCall());
-+    else
-       req.on('error', common.mustNotCall());
--    }
--
--  }));
--}
--
--checkRstCode('rstStream', NGHTTP2_NO_ERROR);
--checkRstCode('rstWithNoError', NGHTTP2_NO_ERROR);
--checkRstCode('rstWithProtocolError', NGHTTP2_PROTOCOL_ERROR);
--checkRstCode('rstWithCancel', NGHTTP2_CANCEL);
--checkRstCode('rstWithRefuse', NGHTTP2_REFUSED_STREAM);
--checkRstCode('rstWithInternalError', NGHTTP2_INTERNAL_ERROR);
-+  });
-+}));
--- 
-2.15.0
-
diff --git a/gnu/packages/patches/opencascade-oce-glibc-2.26.patch b/gnu/packages/patches/opencascade-oce-glibc-2.26.patch
new file mode 100644
index 0000000000..ee5ed572c8
--- /dev/null
+++ b/gnu/packages/patches/opencascade-oce-glibc-2.26.patch
@@ -0,0 +1,62 @@
+Fix build with glibc 2.26:
+
+https://github.com/tpaviot/oce/issues/675
+
+Patch copied from upstream source repository:
+
+https://github.com/tpaviot/oce/commit/aa1321e68cc004e3debe38d79ae74581a617c767
+
+From aa1321e68cc004e3debe38d79ae74581a617c767 Mon Sep 17 00:00:00 2001
+From: Janus Weil <janus@gcc.gnu.org>
+Date: Mon, 18 Dec 2017 11:27:55 +0100
+Subject: [PATCH] fix build errors with glibc 2.26+ due to missing xlocale.h
+ (issue #675)
+
+* check for the presence of xlocale.h via cmake
+* remove related logic from Standard_CLocaleSentry.hxx
+---
+ CMakeLists.txt                          |  1 +
+ src/Standard/Standard_CLocaleSentry.hxx | 15 ---------------
+ 2 files changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b782b4101..50e9500b2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -616,6 +616,7 @@ if (NOT WIN32)
+ 	# compilation anywhere in OCE
+ 	include(CheckIncludeFile)
+ 	check_include_file(strings.h HAVE_STRINGS_H)
++	check_include_file(xlocale.h HAVE_XLOCALE_H)
+ 	include(CheckIncludeFileCXX)
+ 	check_include_file_cxx(mm_malloc.h HAVE_MM_MALLOC_H)
+ 	check_include_file_cxx(atomic.h OCE_HAVE_ATOMIC_H)
+diff --git a/src/Standard/Standard_CLocaleSentry.hxx b/src/Standard/Standard_CLocaleSentry.hxx
+index 2b226e7f3..1a4c1dadc 100644
+--- a/src/Standard/Standard_CLocaleSentry.hxx
++++ b/src/Standard/Standard_CLocaleSentry.hxx
+@@ -20,21 +20,6 @@
+ 
+ #include <locale.h>
+ 
+-#ifndef HAVE_XLOCALE_H
+-  //! "xlocale.h" available in Mac OS X and glibc (Linux) for a long time as an extension
+-  //! and become part of POSIX since '2008.
+-  //! Notice that this is impossible to test (_POSIX_C_SOURCE >= 200809L)
+-  //! since POSIX didn't declared such identifier.
+-  #if defined(__APPLE__)
+-    #define HAVE_XLOCALE_H
+-  #endif
+-
+-  //! We check _GNU_SOURCE for glibc extensions here and it is always defined by g++ compiler.
+-  #if defined(_GNU_SOURCE) && !defined(__ANDROID__)
+-    #define HAVE_XLOCALE_H
+-  #endif
+-#endif // ifndef HAVE_LOCALE_H
+-
+ #ifdef HAVE_XLOCALE_H
+   #include <xlocale.h>
+ #endif
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/pcre-CVE-2017-7186.patch b/gnu/packages/patches/pcre-CVE-2017-7186.patch
deleted file mode 100644
index d23aa10374..0000000000
--- a/gnu/packages/patches/pcre-CVE-2017-7186.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-Patch for <https://nvd.nist.gov/vuln/detail?vulnId=CVE-2017-7186>
-from <https://vcs.pcre.org/pcre?view=revision&revision=1688>.
-
---- trunk/pcre_internal.h	2016/05/21 13:34:44	1649
-+++ trunk/pcre_internal.h	2017/02/24 17:30:30	1688
-@@ -2772,6 +2772,9 @@
- extern const pcre_uint16 PRIV(ucd_stage2)[];
- extern const pcre_uint32 PRIV(ucp_gentype)[];
- extern const pcre_uint32 PRIV(ucp_gbtable)[];
-+#ifdef COMPILE_PCRE32
-+extern const ucd_record  PRIV(dummy_ucd_record)[];
-+#endif
- #ifdef SUPPORT_JIT
- extern const int         PRIV(ucp_typerange)[];
- #endif
-@@ -2780,9 +2783,15 @@
- /* UCD access macros */
- 
- #define UCD_BLOCK_SIZE 128
--#define GET_UCD(ch) (PRIV(ucd_records) + \
-+#define REAL_GET_UCD(ch) (PRIV(ucd_records) + \
-         PRIV(ucd_stage2)[PRIV(ucd_stage1)[(int)(ch) / UCD_BLOCK_SIZE] * \
-         UCD_BLOCK_SIZE + (int)(ch) % UCD_BLOCK_SIZE])
-+        
-+#ifdef COMPILE_PCRE32
-+#define GET_UCD(ch) ((ch > 0x10ffff)? PRIV(dummy_ucd_record) : REAL_GET_UCD(ch))
-+#else
-+#define GET_UCD(ch) REAL_GET_UCD(ch)
-+#endif 
- 
- #define UCD_CHARTYPE(ch)    GET_UCD(ch)->chartype
- #define UCD_SCRIPT(ch)      GET_UCD(ch)->script
-
---- trunk/pcre_ucd.c	2014/06/19 07:51:39	1490
-+++ trunk/pcre_ucd.c	2017/02/24 17:30:30	1688
-@@ -38,6 +38,20 @@
- const pcre_uint32 PRIV(ucd_caseless_sets)[] = {0};
- #else
- 
-+/* If the 32-bit library is run in non-32-bit mode, character values
-+greater than 0x10ffff may be encountered. For these we set up a
-+special record. */
-+
-+#ifdef COMPILE_PCRE32
-+const ucd_record PRIV(dummy_ucd_record)[] = {{
-+  ucp_Common,    /* script */
-+  ucp_Cn,        /* type unassigned */
-+  ucp_gbOther,   /* grapheme break property */
-+  0,             /* case set */
-+  0,             /* other case */
-+  }};
-+#endif
-+
- /* When recompiling tables with a new Unicode version, please check the
- types in this structure definition from pcre_internal.h (the actual
- field names will be different):
diff --git a/gnu/packages/patches/potrace-tests.patch b/gnu/packages/patches/potrace-tests.patch
new file mode 100644
index 0000000000..407be98dab
--- /dev/null
+++ b/gnu/packages/patches/potrace-tests.patch
@@ -0,0 +1,50 @@
+This relaxes the comparison threshold between the reference data
+and the bitmaps produced by Ghostscript interpreting the vectorized
+image.  Apparently the threshold has become too low with the switch
+to from Ghostscript 2.21 to 2.22.
+
+--- potrace-1.15/check/postscript-check.sh	2018-01-06 19:47:26.194900686 +0100
++++ potrace-1.15/check/postscript-check.sh	2018-01-06 19:51:35.937503739 +0100
+@@ -70,15 +70,15 @@ if test $? -ne 0; then
+     echo "Something is wrong with $GS; skipping this test" >& 2
+     exit 77
+ fi 
+-actiondiff "$TMP2" "$REFDATA" 1000
++actiondiff "$TMP2" "$REFDATA" 1500
+ 
+ action $POTRACE -r50 -p -L 0 -B 0 --opaque -o "$TMP1" "$DATA"
+ action "$GS" -q -dNOPAUSE -sDEVICE=pbmraw -g460x394 -r100x100 -sOutputFile="$TMP2" -- "$TMP1"
+-actiondiff "$TMP2" "$REFDATA" 1200
++actiondiff "$TMP2" "$REFDATA" 1500
+ 
+ action $POTRACE -r50 -p -L 0 -B 0 -A 160 -o "$TMP1" "$DATA"
+ action "$GS" -q -dNOPAUSE -sDEVICE=pbmraw -g568x528 -r100x100 -sOutputFile="$TMP2" -- "$TMP1"
+-actiondiff "$TMP2" "$REFDATAROT" 1200
++actiondiff "$TMP2" "$REFDATAROT" 1500
+ 
+ action rm -f "$TMP1"
+ action rm -f "$TMP2"
+
+--- potrace-1.15/check/pdf-check.sh	2018-01-06 19:47:28.698886663 +0100
++++ potrace-1.15/check/pdf-check.sh	2018-01-06 20:54:14.895460329 +0100
+@@ -72,15 +72,15 @@ if test $? -ne 0 -o ! -f "$TMP2"; then
+     echo "GS does not understand PDF; skipping this test" >& 2
+     exit 77
+ fi 
+-actiondiff "$TMP2" "$REFDATA" 1000
++actiondiff "$TMP2" "$REFDATA" 1500
+ 
+ action $POTRACE -r50 -p -L 0 -B 0 --opaque -b pdf -o "$TMP1" "$DATA"
+ action "$GS" -q -dNOPAUSE -sDEVICE=pbmraw -g460x394 -r100x100 -sOutputFile="$TMP2" -- "$TMP1"
+-actiondiff "$TMP2" "$REFDATA" 1200
++actiondiff "$TMP2" "$REFDATA" 1500
+ 
+ action $POTRACE -r50 -p -L 0 -B 0 -A 160 -b pdf -o "$TMP1" "$DATA"
+ action "$GS" -q -dNOPAUSE -sDEVICE=pbmraw -g568x528 -r100x100 -sOutputFile="$TMP2" -- "$TMP1"
+-actiondiff "$TMP2" "$REFDATAROT" 1200
++actiondiff "$TMP2" "$REFDATAROT" 1500
+ 
+ action rm -f "$TMP1"
+ action rm -f "$TMP2"
+
+Diff finished.  Sat Jan  6 20:54:50 2018
diff --git a/gnu/packages/patches/python-2.7-adjust-tests.patch b/gnu/packages/patches/python-2.7-adjust-tests.patch
new file mode 100644
index 0000000000..12fe6e2e1e
--- /dev/null
+++ b/gnu/packages/patches/python-2.7-adjust-tests.patch
@@ -0,0 +1,22 @@
+SIGINT is ignored in the Guix build environment.
+
+--- a/Lib/test/test_regrtest.py
++++ b/Lib/test/test_regrtest.py
+@@ -399,6 +399,8 @@
+         output = self.run_tests('--fromfile', filename)
+         self.check_executed_tests(output, tests)
+ 
++    @unittest.skipIf(True,
++        "KeyboardInterrupts do not work in the build environment")
+     def test_interrupted(self):
+         code = TEST_INTERRUPTED
+         test = self.create_test('sigint', code=code)
+@@ -416,6 +418,8 @@
+                  % (self.TESTNAME_REGEX, len(tests)))
+         self.check_line(output, regex)
+ 
++    @unittest.skipIf(True,
++        "KeyboardInterrupts do not work in the build environment")
+     def test_slow_interrupted(self):
+         # Issue #25373: test --slowest with an interrupted test
+         code = TEST_INTERRUPTED
diff --git a/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch b/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch
deleted file mode 100644
index 5a09b4ac52..0000000000
--- a/gnu/packages/patches/python-2.7-getentropy-on-old-kernels.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-This patch resolves a compatibility issue when compiled against glibc
-2.25
-and run runder kernels < 3.17:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1410175
-
-Upstream bug URLs:
-
-https://bugs.python.org/issue29157
-https://bugs.python.org/issue29188
-
-Patch adapted from upstream source repository:
-
-https://github.com/python/cpython/commit/01bdbad3e951014c58581635b94b22868537901c
-
-From 01bdbad3e951014c58581635b94b22868537901c Mon Sep 17 00:00:00 2001
-From: Victor Stinner <victor.stinner@gmail.com>
-Date: Mon, 9 Jan 2017 11:10:41 +0100
-Subject: [PATCH] Don't use getentropy() on Linux
-
-Issue #29188: Support glibc 2.24 on Linux: don't use getentropy() function but
-read from /dev/urandom to get random bytes, for example in os.urandom().  On
-Linux, getentropy() is implemented which getrandom() is blocking mode, whereas
-os.urandom() should not block.
----
- Misc/NEWS       |  5 +++++
- Python/random.c | 11 +++++++++--
- 2 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/Python/random.c b/Python/random.c
-index 57c41ffcd6..000cb36938 100644
---- a/Python/random.c
-+++ b/Python/random.c
-@@ -97,8 +97,15 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
- }
- 
- /* Issue #25003: Don't use getentropy() on Solaris (available since
-- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
--#elif defined(HAVE_GETENTROPY) && !defined(sun)
-+   Solaris 11.3), it is blocking whereas os.urandom() should not block.
-+
-+   Issue #29188: Don't use getentropy() on Linux since the glibc 2.24
-+   implements it with the getrandom() syscall which can fail with ENOSYS,
-+   and this error is not supported in py_getentropy() and getrandom() is called
-+   with flags=0 which blocks until system urandom is initialized, which is not
-+   the desired behaviour to seed the Python hash secret nor for os.urandom():
-+   see the PEP 524 which was only implemented in Python 3.6. */
-+#elif defined(HAVE_GETENTROPY) && !defined(sun) && !defined(linux)
- #define PY_GETENTROPY 1
- 
- /* Fill buffer with size pseudo-random bytes generated by getentropy().
--- 
-2.12.0
-
diff --git a/gnu/packages/patches/python-3-fix-tests.patch b/gnu/packages/patches/python-3-fix-tests.patch
new file mode 100644
index 0000000000..ab713c54dd
--- /dev/null
+++ b/gnu/packages/patches/python-3-fix-tests.patch
@@ -0,0 +1,149 @@
+Additional test fixes which affect Python 3.5 (and presumably later) but not
+prior revisions of Python.
+
+--- Lib/test/test_pathlib.py     2014-03-01 03:02:36.088311000 +0100
++++ Lib/test/test_pathlib.py     2014-03-01 04:56:37.768311000 +0100
+@@ -2132,8 +2132,7 @@
+         self.assertEqual(given, expect)
+         self.assertEqual(set(p.rglob("FILEd*")), set())
+ 
+-    @unittest.skipUnless(hasattr(pwd, 'getpwall'),
+-                         'pwd module does not expose getpwall()')
++    @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
+     def test_expanduser(self):
+         P = self.cls
+         support.import_module('pwd')
+--- Lib/test/test_tarfile.py        2016-02-24 19:22:52.597208055 +0000
++++ Lib/test/test_tarfile.py     2016-02-24 20:50:48.941950135 +0000
+@@ -2305,11 +2305,14 @@
+     try:
+         import pwd, grp
+     except ImportError:
+         return False
+-    if pwd.getpwuid(0)[0] != 'root':
+-        return False
+-    if grp.getgrgid(0)[0] != 'root':
++    try:
++        if pwd.getpwuid(0)[0] != 'root':
++            return False
++        if grp.getgrgid(0)[0] != 'root':
++            return False
++    except KeyError:
+         return False
+     return True
+
+
+--- Lib/test/test_asyncio/test_base_events.py
++++ Lib/test/test_asyncio/test_base_events.py
+@@ -1216,6 +1216,8 @@
+         self._test_create_connection_ip_addr(m_socket, False)
+
+     @patch_socket
++    @unittest.skipUnless(support.is_resource_enabled('network'),
++                         'network is not enabled')
+     def test_create_connection_service_name(self, m_socket):
+         m_socket.getaddrinfo = socket.getaddrinfo
+         sock = m_socket.socket.return_value
+
+--- Lib/test/test_pdb.py.org    2017-03-12 03:09:01.991856701 +0100
++++ Lib/test/test_pdb.py        2017-03-12 03:26:17.742572869 +0100
+
+For some reason, KeyboardInterrupts do not work in the build
+environment (lack of controlling TTY?). Just change the expected
+outcome. Unfortunately, this will make it fail for users running
+`python -m test test_pdb test_pdb` interactively.
+
+@@ -928,11 +928,11 @@
+     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(6)test_function()
+     -> print('pdb %d: %s' % (i, sess._previous_sigint_handler))
+     (Pdb) continue
+-    pdb 1: <built-in function default_int_handler>
++    pdb 1: Handlers.SIG_IGN
+     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(5)test_function()
+     -> sess.set_trace(sys._getframe())
+     (Pdb) continue
+-    pdb 2: <built-in function default_int_handler>
++    pdb 2: Handlers.SIG_IGN
+     """
+
+ class PdbTestCase(unittest.TestCase):
+--- Lib/test/test_socket.py
++++ Lib/test/test_socket.py
+@@ -802,6 +802,8 @@
+         if not fqhn in all_host_names:
+             self.fail("Error testing host resolution mechanisms. (fqdn: %s, all: %s)" % (fqhn, repr(all_host_names)))
+ 
++    @unittest.skipUnless(support.is_resource_enabled('network'),
++                         'network is not enabled')
+     def test_host_resolution(self):
+         for addr in [support.HOST, '10.0.0.1', '255.255.255.255']:
+             self.assertEqual(socket.gethostbyname(addr), addr)
+--- Lib/test/test_spwd.py
++++ Lib/test/test_spwd.py
+@@ -5,8 +5,7 @@
+ spwd = support.import_module('spwd')
+ 
+ 
+-@unittest.skipUnless(hasattr(os, 'geteuid') and os.geteuid() == 0,
+-                     'root privileges required')
++@unittest.skipUnless(os.path.exists("/etc/shadow"), 'spwd tests require /etc/shadow')
+ class TestSpwdRoot(unittest.TestCase):
+ 
+     def test_getspall(self):
+@@ -56,8 +55,7 @@
+             self.assertRaises(TypeError, spwd.getspnam, bytes_name)
+ 
+ 
+-@unittest.skipUnless(hasattr(os, 'geteuid') and os.geteuid() != 0,
+-                     'non-root user required')
++@unittest.skipUnless(os.path.exists("/etc/shadow"), 'spwd tests require /etc/shadow')
+ class TestSpwdNonRoot(unittest.TestCase):
+ 
+     def test_getspnam_exception(self):
+--- Lib/test/test_regrtest.py
++++ Lib/test/test_regrtest.py
+@@ -700,6 +700,7 @@
+         output = self.run_tests('--fromfile', filename)
+         self.check_executed_tests(output, tests)
+ 
++    @unittest.skipIf(True, 'Keyboard interrupts do not work in the Guix build environment.')
+     def test_interrupted(self):
+         code = TEST_INTERRUPTED
+         test = self.create_test('sigint', code=code)
+@@ -717,6 +718,7 @@
+                  % (self.TESTNAME_REGEX, len(tests)))
+         self.check_line(output, regex)
+ 
++    @unittest.skipIf(True, 'Keyboard interrupts do not work in the Guix build environment.')
+     def test_slow_interrupted(self):
+         # Issue #25373: test --slowest with an interrupted test
+         code = TEST_INTERRUPTED
+--- Lib/test/test_generators.py
++++ Lib/test/test_generators.py
+@@ -29,6 +29,7 @@
+         else:
+             return "FAILED"
+ 
++    @unittest.skipIf(True, 'Keyboard interrupts do not work in the Guix build environment')
+     def test_raise_and_yield_from(self):
+         gen = self.generator1()
+         gen.send(None)
+--- Lib/test/test_normalization.py
++++ Lib/test/test_normalization.py
+@@ -2,6 +2,7 @@
+ import unittest
+ 
+ from http.client import HTTPException
++from urllib.error import URLError
+ import sys
+ from unicodedata import normalize, unidata_version
+ 
+@@ -43,6 +44,8 @@
+         except PermissionError:
+             self.skipTest(f"Permission error when downloading {TESTDATAURL} "
+                           f"into the test data directory")
++        except URLError:
++            self.skipTest("DNS lookups are not enabled.")
+         except (OSError, HTTPException):
+             self.fail(f"Could not retrieve {TESTDATAURL}")
+ 
diff --git a/gnu/packages/patches/python-3.5-fix-tests.patch b/gnu/packages/patches/python-3.5-fix-tests.patch
deleted file mode 100644
index 9778b88dbd..0000000000
--- a/gnu/packages/patches/python-3.5-fix-tests.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Additional test fixes which affect Python 3.5 (and presumably later) but not
-prior revisions of Python.
-
---- Lib/test/test_pathlib.py     2014-03-01 03:02:36.088311000 +0100
-+++ Lib/test/test_pathlib.py     2014-03-01 04:56:37.768311000 +0100
-@@ -1986,8 +1986,9 @@
-         expect = set() if not support.fs_is_case_insensitive(BASE) else given
-         self.assertEqual(given, expect)
-         self.assertEqual(set(p.rglob("FILEd*")), set())
- 
-+    @unittest.skipIf(True, "Guix builder home is '/' which causes trouble for these tests")
-     def test_expanduser(self):
-         P = self.cls
-         support.import_module('pwd')
-         import pwd
---- Lib/test/test_tarfile.py        2016-02-24 19:22:52.597208055 +0000
-+++ Lib/test/test_tarfile.py     2016-02-24 20:50:48.941950135 +0000
-@@ -2305,11 +2305,14 @@
-     try:
-         import pwd, grp
-     except ImportError:
-         return False
--    if pwd.getpwuid(0)[0] != 'root':
--        return False
--    if grp.getgrgid(0)[0] != 'root':
-+    try:
-+        if pwd.getpwuid(0)[0] != 'root':
-+            return False
-+        if grp.getgrgid(0)[0] != 'root':
-+            return False
-+    except KeyError:
-         return False
-     return True
-
-
---- Lib/test/test_asyncio/test_base_events.py
-+++ Lib/test/test_asyncio/test_base_events.py
-@@ -1216,6 +1216,8 @@
-         self._test_create_connection_ip_addr(m_socket, False)
-
-     @patch_socket
-+    @unittest.skipUnless(support.is_resource_enabled('network'),
-+                         'network is not enabled')
-     def test_create_connection_service_name(self, m_socket):
-         m_socket.getaddrinfo = socket.getaddrinfo
-         sock = m_socket.socket.return_value
-
---- Lib/test/test_pdb.py.org    2017-03-12 03:09:01.991856701 +0100
-+++ Lib/test/test_pdb.py        2017-03-12 03:26:17.742572869 +0100
-
-For some reason, KeyboardInterrupts do not work in the build
-environment (lack of controlling TTY?). Just change the expected
-outcome. Unfortunately, this will make it fail for users running
-`python -m test test_pdb test_pdb` interactively.
-
-@@ -928,11 +928,11 @@
-     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(6)test_function()
-     -> print('pdb %d: %s' % (i, sess._previous_sigint_handler))
-     (Pdb) continue
--    pdb 1: <built-in function default_int_handler>
-+    pdb 1: Handlers.SIG_IGN
-     > <doctest test.test_pdb.test_pdb_issue_20766[0]>(5)test_function()
-     -> sess.set_trace(sys._getframe())
-     (Pdb) continue
--    pdb 2: <built-in function default_int_handler>
-+    pdb 2: Handlers.SIG_IGN
-     """
-
- class PdbTestCase(unittest.TestCase):
diff --git a/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch b/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch
deleted file mode 100644
index 8a12b5b448..0000000000
--- a/gnu/packages/patches/python-3.5-getentropy-on-old-kernels.patch
+++ /dev/null
@@ -1,720 +0,0 @@
-This patch resolves a compatibility issue when compiled against glibc 2.25
-and run runder kernels < 3.17:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1410175
-
-Upstream bug URL: https://bugs.python.org/issue29157
-
-Patch copied from upstream source repository:
-
-https://hg.python.org/cpython/rev/8125d9a8152b
-
-# HG changeset patch
-# User Victor Stinner <victor.stinner@gmail.com>
-# Date 1483957133 -3600
-# Node ID 8125d9a8152b79e712cb09c7094b9129b9bcea86
-# Parent  337461574c90281630751b6095c4e1baf380cf7d
-Issue #29157: Prefer getrandom() over getentropy()
-
-Copy and then adapt Python/random.c from default branch. Difference between 3.5
-and default branches:
-
-* Python 3.5 only uses getrandom() in non-blocking mode: flags=GRND_NONBLOCK
-* If getrandom() fails with EAGAIN: py_getrandom() immediately fails and
-  remembers that getrandom() doesn't work.
-* Python 3.5 has no _PyOS_URandomNonblock() function: _PyOS_URandom()
-  works in non-blocking mode on Python 3.5
-
-diff --git a/Python/random.c b/Python/random.c
---- Python/random.c
-+++ Python/random.c
-@@ -1,6 +1,9 @@
- #include "Python.h"
- #ifdef MS_WINDOWS
- #  include <windows.h>
-+/* All sample MSDN wincrypt programs include the header below. It is at least
-+ * required with Min GW. */
-+#  include <wincrypt.h>
- #else
- #  include <fcntl.h>
- #  ifdef HAVE_SYS_STAT_H
-@@ -37,10 +40,9 @@ win32_urandom_init(int raise)
-     return 0;
- 
- error:
--    if (raise)
-+    if (raise) {
-         PyErr_SetFromWindowsErr(0);
--    else
--        Py_FatalError("Failed to initialize Windows random API (CryptoGen)");
-+    }
-     return -1;
- }
- 
-@@ -53,8 +55,9 @@ win32_urandom(unsigned char *buffer, Py_
- 
-     if (hCryptProv == 0)
-     {
--        if (win32_urandom_init(raise) == -1)
-+        if (win32_urandom_init(raise) == -1) {
-             return -1;
-+        }
-     }
- 
-     while (size > 0)
-@@ -63,11 +66,9 @@ win32_urandom(unsigned char *buffer, Py_
-         if (!CryptGenRandom(hCryptProv, (DWORD)chunk, buffer))
-         {
-             /* CryptGenRandom() failed */
--            if (raise)
-+            if (raise) {
-                 PyErr_SetFromWindowsErr(0);
--            else
--                Py_FatalError("Failed to initialized the randomized hash "
--                        "secret using CryptoGen)");
-+            }
-             return -1;
-         }
-         buffer += chunk;
-@@ -76,58 +77,23 @@ win32_urandom(unsigned char *buffer, Py_
-     return 0;
- }
- 
--/* Issue #25003: Don't use getentropy() on Solaris (available since
-- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
--#elif defined(HAVE_GETENTROPY) && !defined(sun)
--#define PY_GETENTROPY 1
--
--/* Fill buffer with size pseudo-random bytes generated by getentropy().
--   Return 0 on success, or raise an exception and return -1 on error.
--
--   If fatal is nonzero, call Py_FatalError() instead of raising an exception
--   on error. */
--static int
--py_getentropy(unsigned char *buffer, Py_ssize_t size, int fatal)
--{
--    while (size > 0) {
--        Py_ssize_t len = Py_MIN(size, 256);
--        int res;
--
--        if (!fatal) {
--            Py_BEGIN_ALLOW_THREADS
--            res = getentropy(buffer, len);
--            Py_END_ALLOW_THREADS
--
--            if (res < 0) {
--                PyErr_SetFromErrno(PyExc_OSError);
--                return -1;
--            }
--        }
--        else {
--            res = getentropy(buffer, len);
--            if (res < 0)
--                Py_FatalError("getentropy() failed");
--        }
--
--        buffer += len;
--        size -= len;
--    }
--    return 0;
--}
--
--#else
-+#else /* !MS_WINDOWS */
- 
- #if defined(HAVE_GETRANDOM) || defined(HAVE_GETRANDOM_SYSCALL)
- #define PY_GETRANDOM 1
- 
--/* Call getrandom()
-+/* Call getrandom() to get random bytes:
-+
-    - Return 1 on success
--   - Return 0 if getrandom() syscall is not available (failed with ENOSYS or
--     EPERM) or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom
--     not initialized yet) and raise=0.
-+   - Return 0 if getrandom() is not available (failed with ENOSYS or EPERM),
-+     or if getrandom(GRND_NONBLOCK) failed with EAGAIN (system urandom not
-+     initialized yet).
-    - Raise an exception (if raise is non-zero) and return -1 on error:
--     getrandom() failed with EINTR and the Python signal handler raised an
--     exception, or getrandom() failed with a different error. */
-+     if getrandom() failed with EINTR, raise is non-zero and the Python signal
-+     handler raised an exception, or if getrandom() failed with a different
-+     error.
-+
-+   getrandom() is retried if it failed with EINTR: interrupted by a signal. */
- static int
- py_getrandom(void *buffer, Py_ssize_t size, int raise)
- {
-@@ -142,16 +108,19 @@ py_getrandom(void *buffer, Py_ssize_t si
-      * see https://bugs.python.org/issue26839. To avoid this, use the
-      * GRND_NONBLOCK flag. */
-     const int flags = GRND_NONBLOCK;
-+    char *dest;
-     long n;
- 
-     if (!getrandom_works) {
-         return 0;
-     }
- 
-+    dest = buffer;
-     while (0 < size) {
- #ifdef sun
-         /* Issue #26735: On Solaris, getrandom() is limited to returning up
--           to 1024 bytes */
-+           to 1024 bytes. Call it multiple times if more bytes are
-+           requested. */
-         n = Py_MIN(size, 1024);
- #else
-         n = Py_MIN(size, LONG_MAX);
-@@ -161,34 +130,35 @@ py_getrandom(void *buffer, Py_ssize_t si
- #ifdef HAVE_GETRANDOM
-         if (raise) {
-             Py_BEGIN_ALLOW_THREADS
--            n = getrandom(buffer, n, flags);
-+            n = getrandom(dest, n, flags);
-             Py_END_ALLOW_THREADS
-         }
-         else {
--            n = getrandom(buffer, n, flags);
-+            n = getrandom(dest, n, flags);
-         }
- #else
-         /* On Linux, use the syscall() function because the GNU libc doesn't
--         * expose the Linux getrandom() syscall yet. See:
--         * https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */
-+           expose the Linux getrandom() syscall yet. See:
-+           https://sourceware.org/bugzilla/show_bug.cgi?id=17252 */
-         if (raise) {
-             Py_BEGIN_ALLOW_THREADS
--            n = syscall(SYS_getrandom, buffer, n, flags);
-+            n = syscall(SYS_getrandom, dest, n, flags);
-             Py_END_ALLOW_THREADS
-         }
-         else {
--            n = syscall(SYS_getrandom, buffer, n, flags);
-+            n = syscall(SYS_getrandom, dest, n, flags);
-         }
- #endif
- 
-         if (n < 0) {
--            /* ENOSYS: getrandom() syscall not supported by the kernel (but
--             * maybe supported by the host which built Python). EPERM:
--             * getrandom() syscall blocked by SECCOMP or something else. */
-+            /* ENOSYS: the syscall is not supported by the kernel.
-+               EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
-+               or something else. */
-             if (errno == ENOSYS || errno == EPERM) {
-                 getrandom_works = 0;
-                 return 0;
-             }
-+
-             if (errno == EAGAIN) {
-                 /* getrandom(GRND_NONBLOCK) fails with EAGAIN if the system
-                    urandom is not initialiazed yet. In this case, fall back on
-@@ -202,32 +172,101 @@ py_getrandom(void *buffer, Py_ssize_t si
-             }
- 
-             if (errno == EINTR) {
--                if (PyErr_CheckSignals()) {
--                    if (!raise) {
--                        Py_FatalError("getrandom() interrupted by a signal");
-+                if (raise) {
-+                    if (PyErr_CheckSignals()) {
-+                        return -1;
-                     }
--                    return -1;
-                 }
- 
--                /* retry getrandom() */
-+                /* retry getrandom() if it was interrupted by a signal */
-                 continue;
-             }
- 
-             if (raise) {
-                 PyErr_SetFromErrno(PyExc_OSError);
-             }
--            else {
--                Py_FatalError("getrandom() failed");
-+            return -1;
-+        }
-+
-+        dest += n;
-+        size -= n;
-+    }
-+    return 1;
-+}
-+
-+#elif defined(HAVE_GETENTROPY)
-+#define PY_GETENTROPY 1
-+
-+/* Fill buffer with size pseudo-random bytes generated by getentropy():
-+
-+   - Return 1 on success
-+   - Return 0 if getentropy() syscall is not available (failed with ENOSYS or
-+     EPERM).
-+   - Raise an exception (if raise is non-zero) and return -1 on error:
-+     if getentropy() failed with EINTR, raise is non-zero and the Python signal
-+     handler raised an exception, or if getentropy() failed with a different
-+     error.
-+
-+   getentropy() is retried if it failed with EINTR: interrupted by a signal. */
-+static int
-+py_getentropy(char *buffer, Py_ssize_t size, int raise)
-+{
-+    /* Is getentropy() supported by the running kernel? Set to 0 if
-+       getentropy() failed with ENOSYS or EPERM. */
-+    static int getentropy_works = 1;
-+
-+    if (!getentropy_works) {
-+        return 0;
-+    }
-+
-+    while (size > 0) {
-+        /* getentropy() is limited to returning up to 256 bytes. Call it
-+           multiple times if more bytes are requested. */
-+        Py_ssize_t len = Py_MIN(size, 256);
-+        int res;
-+
-+        if (raise) {
-+            Py_BEGIN_ALLOW_THREADS
-+            res = getentropy(buffer, len);
-+            Py_END_ALLOW_THREADS
-+        }
-+        else {
-+            res = getentropy(buffer, len);
-+        }
-+
-+        if (res < 0) {
-+            /* ENOSYS: the syscall is not supported by the running kernel.
-+               EPERM: the syscall is blocked by a security policy (ex: SECCOMP)
-+               or something else. */
-+            if (errno == ENOSYS || errno == EPERM) {
-+                getentropy_works = 0;
-+                return 0;
-+            }
-+
-+            if (errno == EINTR) {
-+                if (raise) {
-+                    if (PyErr_CheckSignals()) {
-+                        return -1;
-+                    }
-+                }
-+
-+                /* retry getentropy() if it was interrupted by a signal */
-+                continue;
-+            }
-+
-+            if (raise) {
-+                PyErr_SetFromErrno(PyExc_OSError);
-             }
-             return -1;
-         }
- 
--        buffer += n;
--        size -= n;
-+        buffer += len;
-+        size -= len;
-     }
-     return 1;
- }
--#endif
-+#endif /* defined(HAVE_GETENTROPY) && !defined(sun) */
-+
- 
- static struct {
-     int fd;
-@@ -235,136 +274,123 @@ static struct {
-     ino_t st_ino;
- } urandom_cache = { -1 };
- 
-+/* Read random bytes from the /dev/urandom device:
- 
--/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
--   /dev/urandom if getrandom() is not available.
-+   - Return 0 on success
-+   - Raise an exception (if raise is non-zero) and return -1 on error
- 
--   Call Py_FatalError() on error. */
--static void
--dev_urandom_noraise(unsigned char *buffer, Py_ssize_t size)
-+   Possible causes of errors:
-+
-+   - open() failed with ENOENT, ENXIO, ENODEV, EACCES: the /dev/urandom device
-+     was not found. For example, it was removed manually or not exposed in a
-+     chroot or container.
-+   - open() failed with a different error
-+   - fstat() failed
-+   - read() failed or returned 0
-+
-+   read() is retried if it failed with EINTR: interrupted by a signal.
-+
-+   The file descriptor of the device is kept open between calls to avoid using
-+   many file descriptors when run in parallel from multiple threads:
-+   see the issue #18756.
-+
-+   st_dev and st_ino fields of the file descriptor (from fstat()) are cached to
-+   check if the file descriptor was replaced by a different file (which is
-+   likely a bug in the application): see the issue #21207.
-+
-+   If the file descriptor was closed or replaced, open a new file descriptor
-+   but don't close the old file descriptor: it probably points to something
-+   important for some third-party code. */
-+static int
-+dev_urandom(char *buffer, Py_ssize_t size, int raise)
- {
-     int fd;
-     Py_ssize_t n;
- 
--    assert (0 < size);
-+    if (raise) {
-+        struct _Py_stat_struct st;
- 
--#ifdef PY_GETRANDOM
--    if (py_getrandom(buffer, size, 0) == 1) {
--        return;
-+        if (urandom_cache.fd >= 0) {
-+            /* Does the fd point to the same thing as before? (issue #21207) */
-+            if (_Py_fstat_noraise(urandom_cache.fd, &st)
-+                || st.st_dev != urandom_cache.st_dev
-+                || st.st_ino != urandom_cache.st_ino) {
-+                /* Something changed: forget the cached fd (but don't close it,
-+                   since it probably points to something important for some
-+                   third-party code). */
-+                urandom_cache.fd = -1;
-+            }
-+        }
-+        if (urandom_cache.fd >= 0)
-+            fd = urandom_cache.fd;
-+        else {
-+            fd = _Py_open("/dev/urandom", O_RDONLY);
-+            if (fd < 0) {
-+                if (errno == ENOENT || errno == ENXIO ||
-+                    errno == ENODEV || errno == EACCES) {
-+                    PyErr_SetString(PyExc_NotImplementedError,
-+                                    "/dev/urandom (or equivalent) not found");
-+                }
-+                /* otherwise, keep the OSError exception raised by _Py_open() */
-+                return -1;
-+            }
-+            if (urandom_cache.fd >= 0) {
-+                /* urandom_fd was initialized by another thread while we were
-+                   not holding the GIL, keep it. */
-+                close(fd);
-+                fd = urandom_cache.fd;
-+            }
-+            else {
-+                if (_Py_fstat(fd, &st)) {
-+                    close(fd);
-+                    return -1;
-+                }
-+                else {
-+                    urandom_cache.fd = fd;
-+                    urandom_cache.st_dev = st.st_dev;
-+                    urandom_cache.st_ino = st.st_ino;
-+                }
-+            }
-+        }
-+
-+        do {
-+            n = _Py_read(fd, buffer, (size_t)size);
-+            if (n == -1)
-+                return -1;
-+            if (n == 0) {
-+                PyErr_Format(PyExc_RuntimeError,
-+                        "Failed to read %zi bytes from /dev/urandom",
-+                        size);
-+                return -1;
-+            }
-+
-+            buffer += n;
-+            size -= n;
-+        } while (0 < size);
-     }
--    /* getrandom() failed with ENOSYS or EPERM,
--       fall back on reading /dev/urandom */
--#endif
--
--    fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
--    if (fd < 0) {
--        Py_FatalError("Failed to open /dev/urandom");
--    }
--
--    while (0 < size)
--    {
--        do {
--            n = read(fd, buffer, (size_t)size);
--        } while (n < 0 && errno == EINTR);
--
--        if (n <= 0) {
--            /* read() failed or returned 0 bytes */
--            Py_FatalError("Failed to read bytes from /dev/urandom");
--            break;
--        }
--        buffer += n;
--        size -= n;
--    }
--    close(fd);
--}
--
--/* Read 'size' random bytes from py_getrandom(). Fall back on reading from
--   /dev/urandom if getrandom() is not available.
--
--   Return 0 on success. Raise an exception and return -1 on error. */
--static int
--dev_urandom_python(char *buffer, Py_ssize_t size)
--{
--    int fd;
--    Py_ssize_t n;
--    struct _Py_stat_struct st;
--#ifdef PY_GETRANDOM
--    int res;
--#endif
--
--    if (size <= 0)
--        return 0;
--
--#ifdef PY_GETRANDOM
--    res = py_getrandom(buffer, size, 1);
--    if (res < 0) {
--        return -1;
--    }
--    if (res == 1) {
--        return 0;
--    }
--    /* getrandom() failed with ENOSYS or EPERM,
--       fall back on reading /dev/urandom */
--#endif
--
--    if (urandom_cache.fd >= 0) {
--        /* Does the fd point to the same thing as before? (issue #21207) */
--        if (_Py_fstat_noraise(urandom_cache.fd, &st)
--            || st.st_dev != urandom_cache.st_dev
--            || st.st_ino != urandom_cache.st_ino) {
--            /* Something changed: forget the cached fd (but don't close it,
--               since it probably points to something important for some
--               third-party code). */
--            urandom_cache.fd = -1;
--        }
--    }
--    if (urandom_cache.fd >= 0)
--        fd = urandom_cache.fd;
-     else {
--        fd = _Py_open("/dev/urandom", O_RDONLY);
-+        fd = _Py_open_noraise("/dev/urandom", O_RDONLY);
-         if (fd < 0) {
--            if (errno == ENOENT || errno == ENXIO ||
--                errno == ENODEV || errno == EACCES)
--                PyErr_SetString(PyExc_NotImplementedError,
--                                "/dev/urandom (or equivalent) not found");
--            /* otherwise, keep the OSError exception raised by _Py_open() */
-             return -1;
-         }
--        if (urandom_cache.fd >= 0) {
--            /* urandom_fd was initialized by another thread while we were
--               not holding the GIL, keep it. */
--            close(fd);
--            fd = urandom_cache.fd;
--        }
--        else {
--            if (_Py_fstat(fd, &st)) {
-+
-+        while (0 < size)
-+        {
-+            do {
-+                n = read(fd, buffer, (size_t)size);
-+            } while (n < 0 && errno == EINTR);
-+
-+            if (n <= 0) {
-+                /* stop on error or if read(size) returned 0 */
-                 close(fd);
-                 return -1;
-             }
--            else {
--                urandom_cache.fd = fd;
--                urandom_cache.st_dev = st.st_dev;
--                urandom_cache.st_ino = st.st_ino;
--            }
-+
-+            buffer += n;
-+            size -= n;
-         }
-+        close(fd);
-     }
--
--    do {
--        n = _Py_read(fd, buffer, (size_t)size);
--        if (n == -1) {
--            return -1;
--        }
--        if (n == 0) {
--            PyErr_Format(PyExc_RuntimeError,
--                    "Failed to read %zi bytes from /dev/urandom",
--                    size);
--            return -1;
--        }
--
--        buffer += n;
--        size -= n;
--    } while (0 < size);
--
-     return 0;
- }
- 
-@@ -376,8 +402,8 @@ dev_urandom_close(void)
-         urandom_cache.fd = -1;
-     }
- }
-+#endif /* !MS_WINDOWS */
- 
--#endif
- 
- /* Fill buffer with pseudo-random bytes generated by a linear congruent
-    generator (LCG):
-@@ -400,29 +426,98 @@ lcg_urandom(unsigned int x0, unsigned ch
-     }
- }
- 
-+/* Read random bytes:
-+
-+   - Return 0 on success
-+   - Raise an exception (if raise is non-zero) and return -1 on error
-+
-+   Used sources of entropy ordered by preference, preferred source first:
-+
-+   - CryptGenRandom() on Windows
-+   - getrandom() function (ex: Linux and Solaris): call py_getrandom()
-+   - getentropy() function (ex: OpenBSD): call py_getentropy()
-+   - /dev/urandom device
-+
-+   Read from the /dev/urandom device if getrandom() or getentropy() function
-+   is not available or does not work.
-+
-+   Prefer getrandom() over getentropy() because getrandom() supports blocking
-+   and non-blocking mode and Python requires non-blocking RNG at startup to
-+   initialize its hash secret: see the PEP 524.
-+
-+   Prefer getrandom() and getentropy() over reading directly /dev/urandom
-+   because these functions don't need file descriptors and so avoid ENFILE or
-+   EMFILE errors (too many open files): see the issue #18756.
-+
-+   Only use RNG running in the kernel. They are more secure because it is
-+   harder to get the internal state of a RNG running in the kernel land than a
-+   RNG running in the user land. The kernel has a direct access to the hardware
-+   and has access to hardware RNG, they are used as entropy sources.
-+
-+   Note: the OpenSSL RAND_pseudo_bytes() function does not automatically reseed
-+   its RNG on fork(), two child processes (with the same pid) generate the same
-+   random numbers: see issue #18747. Kernel RNGs don't have this issue,
-+   they have access to good quality entropy sources.
-+
-+   If raise is zero:
-+
-+   - Don't raise an exception on error
-+   - Don't call the Python signal handler (don't call PyErr_CheckSignals()) if
-+     a function fails with EINTR: retry directly the interrupted function
-+   - Don't release the GIL to call functions.
-+*/
-+static int
-+pyurandom(void *buffer, Py_ssize_t size, int raise)
-+{
-+#if defined(PY_GETRANDOM) || defined(PY_GETENTROPY)
-+    int res;
-+#endif
-+
-+    if (size < 0) {
-+        if (raise) {
-+            PyErr_Format(PyExc_ValueError,
-+                         "negative argument not allowed");
-+        }
-+        return -1;
-+    }
-+
-+    if (size == 0) {
-+        return 0;
-+    }
-+
-+#ifdef MS_WINDOWS
-+    return win32_urandom((unsigned char *)buffer, size, raise);
-+#else
-+
-+#if defined(PY_GETRANDOM) || defined(PY_GETENTROPY)
-+#ifdef PY_GETRANDOM
-+    res = py_getrandom(buffer, size, raise);
-+#else
-+    res = py_getentropy(buffer, size, raise);
-+#endif
-+    if (res < 0) {
-+        return -1;
-+    }
-+    if (res == 1) {
-+        return 0;
-+    }
-+    /* getrandom() or getentropy() function is not available: failed with
-+       ENOSYS, EPERM or EAGAIN. Fall back on reading from /dev/urandom. */
-+#endif
-+
-+    return dev_urandom(buffer, size, raise);
-+#endif
-+}
-+
- /* Fill buffer with size pseudo-random bytes from the operating system random
-    number generator (RNG). It is suitable for most cryptographic purposes
-    except long living private keys for asymmetric encryption.
- 
--   Return 0 on success, raise an exception and return -1 on error. */
-+   Return 0 on success. Raise an exception and return -1 on error. */
- int
- _PyOS_URandom(void *buffer, Py_ssize_t size)
- {
--    if (size < 0) {
--        PyErr_Format(PyExc_ValueError,
--                     "negative argument not allowed");
--        return -1;
--    }
--    if (size == 0)
--        return 0;
--
--#ifdef MS_WINDOWS
--    return win32_urandom((unsigned char *)buffer, size, 1);
--#elif defined(PY_GETENTROPY)
--    return py_getentropy(buffer, size, 0);
--#else
--    return dev_urandom_python((char*)buffer, size);
--#endif
-+    return pyurandom(buffer, size, 1);
- }
- 
- void
-@@ -463,13 +558,14 @@ void
-         }
-     }
-     else {
--#ifdef MS_WINDOWS
--        (void)win32_urandom(secret, secret_size, 0);
--#elif defined(PY_GETENTROPY)
--        (void)py_getentropy(secret, secret_size, 1);
--#else
--        dev_urandom_noraise(secret, secret_size);
--#endif
-+        int res;
-+
-+        /* _PyRandom_Init() is called very early in the Python initialization
-+           and so exceptions cannot be used (use raise=0). */
-+        res = pyurandom(secret, secret_size, 0);
-+        if (res < 0) {
-+            Py_FatalError("failed to get random numbers to initialize Python");
-+        }
-     }
- }
- 
-@@ -481,8 +577,6 @@ void
-         CryptReleaseContext(hCryptProv, 0);
-         hCryptProv = 0;
-     }
--#elif defined(PY_GETENTROPY)
--    /* nothing to clean */
- #else
-     dev_urandom_close();
- #endif
-
diff --git a/gnu/packages/patches/python-unittest2-python3-compat.patch b/gnu/packages/patches/python-unittest2-python3-compat.patch
new file mode 100644
index 0000000000..fe0afe559a
--- /dev/null
+++ b/gnu/packages/patches/python-unittest2-python3-compat.patch
@@ -0,0 +1,34 @@
+Skip tests that fail with newer versions of Python.
+
+Patch copied from Gentoo:
+
+https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-python/unittest2/files/unittest2-1.1.0-python3.5-test.patch
+
+diff --git a/unittest2/test/test_loader.py b/unittest2/test/test_loader.py
+index 683f662..347eea5 100644
+--- a/unittest2/test/test_loader.py
++++ b/unittest2/test/test_loader.py
+@@ -509,6 +509,7 @@ class Test_TestLoader(unittest2.TestCase):
+     #
+     # What happens when an impossible name is given, relative to the provided
+     # `module`?
++    @unittest.skipIf(sys.version_info[:2] >= (3, 5), "python 3.5 has problems here")
+     def test_loadTestsFromName__relative_malformed_name(self):
+         loader = unittest.TestLoader()
+ 
+@@ -811,6 +812,7 @@ class Test_TestLoader(unittest2.TestCase):
+     # TestCase or TestSuite instance."
+     #
+     # What happens when presented with an impossible module name?
++    @unittest.skipIf(sys.version_info[:2] >= (3, 5), "python 3.5 has problems here")
+     def test_loadTestsFromNames__malformed_name(self):
+         loader = unittest2.TestLoader()
+ 
+@@ -918,6 +920,7 @@ class Test_TestLoader(unittest2.TestCase):
+     # "The method optionally resolves name relative to the given module"
+     #
+     # What happens when presented with an impossible attribute name?
++    @unittest.skipIf(sys.version_info[:2] >= (3, 5), "python 3.5 has problems here")
+     def test_loadTestsFromNames__relative_malformed_name(self):
+         loader = unittest.TestLoader()
+ 
diff --git a/gnu/packages/patches/python2-unittest2-remove-argparse.patch b/gnu/packages/patches/python-unittest2-remove-argparse.patch
index c96738757e..c96738757e 100644
--- a/gnu/packages/patches/python2-unittest2-remove-argparse.patch
+++ b/gnu/packages/patches/python-unittest2-remove-argparse.patch
diff --git a/gnu/packages/patches/tcl-mkindex-deterministic.patch b/gnu/packages/patches/tcl-mkindex-deterministic.patch
deleted file mode 100644
index 2fcef6a4f7..0000000000
--- a/gnu/packages/patches/tcl-mkindex-deterministic.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-This patch ensures that the 'tclIndex' files generated by 'auto_mkindex'
-are sorted in a deterministic fashion.
-
-Fixes a non-determinism issue reported
-at <https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00696.html>.
-
---- tcl8.6.4/library/auto.tcl	2015-02-26 17:57:28.000000000 +0100
-+++ tcl8.6.4/library/auto.tcl	2015-11-13 23:18:34.964831717 +0100
-@@ -207,6 +207,9 @@ proc auto_mkindex {dir args} {
- 	set args *.tcl
-     }
- 
-+    # Keep file names sorted in a determistic order.
-+    set args [lsort -ascii $args]
-+
-     auto_mkindex_parser::init
-     foreach file [glob -- {*}$args] {
- 	try {
-@@ -241,6 +244,10 @@ proc auto_mkindex_old {dir args} {
-     if {![llength $args]} {
- 	set args *.tcl
-     }
-+
-+    # Keep file names sorted in a determistic order.
-+    set args [lsort -ascii $args]
-+
-     foreach file [glob -- {*}$args] {
- 	set f ""
- 	set error [catch {
diff --git a/gnu/packages/patches/valgrind-glibc-compat.patch b/gnu/packages/patches/valgrind-glibc-compat.patch
new file mode 100644
index 0000000000..4f8effd207
--- /dev/null
+++ b/gnu/packages/patches/valgrind-glibc-compat.patch
@@ -0,0 +1,18 @@
+Fix build failure with glibc 2.26.
+
+Patch copied from upstream source repository:
+https://sourceware.org/git/?p=valgrind.git;a=commit;h=2b5eab6a8db1b0487a3ad7fc4e7eeda6d3513626
+
+diff --git a/memcheck/tests/linux/stack_changes.c b/memcheck/tests/linux/stack_changes.c
+index a978fc2..7f97b90 100644
+--- a/memcheck/tests/linux/stack_changes.c
++++ b/memcheck/tests/linux/stack_changes.c
+@@ -10,7 +10,7 @@
+ // This test is checking the libc context calls (setcontext, etc.) and
+ // checks that Valgrind notices their stack changes properly.
+ 
+-typedef  struct ucontext  mycontext;
++typedef  ucontext_t  mycontext;
+ 
+ mycontext ctx1, ctx2, oldc;
+ int count;
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 0cfde15d1c..ee853d5015 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -33,8 +34,7 @@
 (define-public pcre
   (package
    (name "pcre")
-   (version "8.40")
-   (replacement pcre-8.41)
+   (version "8.41")
    (source (origin
             (method url-fetch)
             (uri (list
@@ -43,10 +43,9 @@
                                  "pcre-" version ".tar.bz2")
                   (string-append "mirror://sourceforge/pcre/pcre/"
                                  version "/pcre-" version ".tar.bz2")))
-            (patches (search-patches "pcre-CVE-2017-7186.patch"))
             (sha256
              (base32
-              "1x7lpjn7jhk0n3sdvggxrlrhab8kkfjwl7qix0ypw9nlx8lpmqh0"))))
+              "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76"))))
    (build-system gnu-build-system)
    (outputs '("out"           ;library & headers
               "bin"           ;depends on Readline (adds 20MiB to the closure)
@@ -73,21 +72,6 @@ POSIX regular expression API.")
    (license license:bsd-3)
    (home-page "https://www.pcre.org/")))
 
-(define pcre-8.41
-  (package
-    (inherit pcre)
-    (version "8.41")
-    (source (origin
-              (method url-fetch)
-              (uri (list (string-append "mirror://sourceforge/pcre/pcre/"
-                                        version "/pcre-" version ".tar.bz2")
-                         (string-append "ftp://ftp.csx.cam.ac.uk"
-                                        "/pub/software/programming/pcre/"
-                                        "pcre-" version ".tar.bz2")))
-              (sha256
-               (base32
-                "0c5m469p5pd7jip621ipq6hbgh7128lzh7xndllfgh77ban7wb76"))))))
-
 (define-public pcre2
   (package
     (name "pcre2")
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 96773da717..5df7385e78 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -79,15 +79,15 @@
 (define-public poppler
   (package
    (name "poppler")
-   (version "0.59.0")
+   (version "0.62.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "https://poppler.freedesktop.org/poppler-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0hcnghliyr8pr887qza18qfgaclw5jr889g1cjcglkni9jr2dmm3"))))
-   (build-system gnu-build-system)
+              "1ii9ly1pngyvs0aiq2wxpya08hidpl54y7nsb8b1vxnnskgp76jv"))))
+   (build-system cmake-build-system)
    ;; FIXME:
    ;;  use libcurl:        no
    (inputs `(("fontconfig" ,fontconfig)
@@ -96,7 +96,7 @@
              ("libpng" ,libpng)
              ("libtiff" ,libtiff)
              ("lcms" ,lcms)
-             ("openjpeg-1" ,openjpeg-1) ; prefers openjpeg-1
+             ("openjpeg" ,openjpeg)
              ("zlib" ,zlib)
 
              ;; To build poppler-glib (as needed by Evince), we need Cairo and
@@ -112,20 +112,12 @@
    (arguments
     `(#:tests? #f ; no test data provided with the tarball
       #:configure-flags
-      '("--enable-xpdf-headers" ; to install header files
-        "--enable-zlib"
-
-        ;; Saves 8 MiB of .a files.
-        "--disable-static")
-      #:phases
-      (modify-phases %standard-phases
-        (add-before 'configure 'setenv
-          (lambda _
-            (setenv "CPATH"
-                    (string-append (assoc-ref %build-inputs "openjpeg-1")
-                                   "/include/openjpeg-1.5"
-                                   ":" (or (getenv "CPATH") "")))
-            #t)))))
+      (let* ((out (assoc-ref %outputs "out"))
+             (lib (string-append out "/lib")))
+        (list "-DENABLE_XPDF_HEADERS=ON" ; to install header files
+              "-DENABLE_ZLIB=ON"
+              (string-append "-DCMAKE_INSTALL_LIBDIR=" lib)
+              (string-append "-DCMAKE_INSTALL_RPATH=" lib)))))
    (synopsis "PDF rendering library")
    (description
     "Poppler is a PDF rendering library based on the xpdf-3.0 code base.")
@@ -144,10 +136,6 @@
    (name "poppler-qt5")
    (inputs `(("qtbase" ,qtbase)
              ,@(package-inputs poppler)))
-   (arguments
-    (substitute-keyword-arguments (package-arguments poppler)
-     ((#:configure-flags flags)
-       `(cons "CXXFLAGS=-std=gnu++11" ,flags))))
    (synopsis "Qt5 frontend for the Poppler PDF rendering library")))
 
 (define-public python-poppler-qt4
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index c1bc776469..1e19e8807d 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -56,14 +56,14 @@
   ;; Yeah, Perl...  It is required early in the bootstrap process by Linux.
   (package
     (name "perl")
-    (version "5.26.0")
+    (version "5.26.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://cpan/src/5.0/perl-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "0zxn9hd7mqgq06ikyi6k70ngbvjf01z1paw0jd25byyl0rlwdrzb"))
+               "1p81wwvr5jb81m41d07kfywk5gvbk0axdrnvhc2aghcdbr4alqz7"))
              (patches (search-patches
                        "perl-file-path-CVE-2017-6512.patch"
                        "perl-no-sys-dirs.patch"
@@ -5091,7 +5091,7 @@ private methods are not.")
 (define-public perl-moosex-getopt
   (package
     (name "perl-moosex-getopt")
-    (version "0.65")
+    (version "0.71")
     (source
      (origin
        (method url-fetch)
@@ -5099,7 +5099,7 @@ private methods are not.")
                            "MooseX-Getopt-" version ".tar.gz"))
        (sha256
         (base32
-         "1nkzvbsiwldmpn6207ns7rinh860djnw098h6cnvywf429rjnz60"))))
+         "0nf2094qgir0irxjycwqavy53ygm530g9f7cxfywnl2n1bmgh66y"))))
     (build-system perl-build-system)
     (native-inputs
      `(("perl-module-build" ,perl-module-build)
@@ -8760,7 +8760,12 @@ interface to File::Find::Object.")
         (base32 "1lgfr87j4qwqnln0hyyzgik5ixqslzdaksn9m8y824gqbcihc6ic"))))
     (build-system perl-build-system)
     (arguments
-     `(#:phases
+     `(;; XXX: We'd like to use #:disallowed-references 'perl-build-system'
+       ;; doesn't support it yet.
+       ;;
+       ;; #:disallowed-references (,tzdata-for-tests)
+
+       #:phases
        (modify-phases %standard-phases
          ;; This is needed for tests
          (add-after 'unpack 'set-TZDIR
@@ -8770,7 +8775,7 @@ interface to File::Find::Object.")
              #t)))))
     (native-inputs
      `(("perl-module-build" ,perl-module-build)
-       ("tzdata" ,tzdata-2017a)))
+       ("tzdata" ,tzdata-for-tests)))
     (home-page "https://metacpan.org/release/Time-ParseDate")
     (synopsis "Collection of Perl modules for time/date manipulation")
     (description "Provides several perl modules for date/time manipulation:
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index d8a80acb36..97f133cdf8 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -341,7 +341,7 @@ photographic equipment.")
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f ; There are no tests.
-       #:configure-flags '("-DCMAKE_INSTALL_LIBDIR=lib" "-DBINARY_PACKAGE_BUILD=On")
+       #:configure-flags '("-DBINARY_PACKAGE_BUILD=On")
        #:make-flags
        (list
         (string-append "CPATH=" (assoc-ref %build-inputs "ilmbase")
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 39f54437cb..249afd3f68 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -131,7 +131,7 @@ rates.")
 (define-public pulseaudio
   (package
     (name "pulseaudio")
-    (version "11.0")
+    (version "11.1")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -139,7 +139,7 @@ rates.")
                    name "-" version ".tar.xz"))
              (sha256
               (base32
-               "0sf92knqkvqmfhrbz4vlsagzqlps72wycpmln5dygicg07a0a8q7"))
+               "17ndr6kc7hpv4ih4gygwlcpviqifbkvnk4fbwf4n25kpb991qlpj"))
              (modules '((guix build utils)))
              (snippet
               ;; Disable console-kit support by default since it's deprecated
@@ -158,16 +158,16 @@ rates.")
                                (string-append "--with-udev-rules-dir="
                                               (assoc-ref %outputs "out")
                                               "/lib/udev/rules.d"))
-       #:phases (alist-cons-before
-                 'check 'pre-check
-                 (lambda _
-                   ;; 'tests/lock-autospawn-test.c' wants to create a file
-                   ;; under ~/.config/pulse.
-                   (setenv "HOME" (getcwd))
-                   ;; 'thread-test' needs more time on hydra and on slower
-                   ;; machines, so we set the default timeout to 120 seconds.
-                   (setenv "CK_DEFAULT_TIMEOUT" "120"))
-                 %standard-phases)))
+       #:phases (modify-phases %standard-phases
+                 (add-before 'check 'pre-check
+                   (lambda _
+                     ;; 'tests/lock-autospawn-test.c' wants to create a file
+                     ;; under ~/.config/pulse.
+                     (setenv "HOME" (getcwd))
+                     ;; 'thread-test' needs more time on hydra and on slower
+                     ;; machines, so we set the default timeout to 120 seconds.
+                     (setenv "CK_DEFAULT_TIMEOUT" "120")
+                     #t)))))
     (inputs
      ;; TODO: Add optional inputs (GTK+?).
      `(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/python-crypto.scm b/gnu/packages/python-crypto.scm
index a545f0ddcc..eacd085e55 100644
--- a/gnu/packages/python-crypto.scm
+++ b/gnu/packages/python-crypto.scm
@@ -325,7 +325,7 @@ is used by the Requests library to verify HTTPS requests.")
        ("python-hypothesis" ,python-hypothesis)
        ("python-pretend" ,python-pretend)
        ("python-pytz" ,python-pytz)
-       ("python-pytest" ,python-pytest-3.0)))
+       ("python-pytest" ,python-pytest)))
     (home-page "https://github.com/pyca/cryptography")
     (synopsis "Cryptographic recipes and primitives for Python")
     (description
@@ -385,7 +385,7 @@ message digests and key derivation functions.")
     (native-inputs
      `(("python-flaky" ,python-flaky)
        ("python-pretend" ,python-pretend)
-       ("python-pytest" ,python-pytest-3.0)))
+       ("python-pytest" ,python-pytest)))
     (home-page "https://github.com/pyca/pyopenssl")
     (synopsis "Python wrapper module around the OpenSSL library")
     (description
diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index 4e280b4590..e8af28f9c8 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -674,15 +674,14 @@ that have uses outside of the Zope framework.")
 (define-public python-zope-testing
   (package
     (name "python-zope-testing")
-    (version "4.5.0")
+    (version "4.6.1")
     (source
      (origin
        (method url-fetch)
-       (uri (string-append "https://pypi.python.org/packages/source/z"
-                           "/zope.testing/zope.testing-" version ".tar.gz"))
+       (uri (pypi-uri "zope.testing" version))
        (sha256
         (base32
-         "1yvglxhzvhl45mndvn9gskx2ph30zz1bz7rrlyfs62fv2pvih90s"))
+         "1vvxhjmzl7vw2i1akfj1xbggwn36270ym7f2ic9xwbaswfw1ap56"))
        (modules '((guix build utils)))
        (snippet
         '(begin
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index e4d5edb41f..439c05b665 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -137,7 +137,7 @@
 (define-public python-2.7
   (package
     (name "python")
-    (version "2.7.13")
+    (version "2.7.14")
     (source
      (origin
       (method url-fetch)
@@ -145,12 +145,12 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "0cgpk3zk0fgpji59pb4zy9nzljr70qzgv1vpz5hq5xw2d2c47m9m"))
+        "0rka541ys16jwzcnnvjp2v12m4cwgd2jp6wj4kj511p715pb5zvi"))
       (patches (search-patches "python-2.7-search-paths.patch"
                                "python-2-deterministic-build-info.patch"
                                "python-2.7-site-prefixes.patch"
                                "python-2.7-source-date-epoch.patch"
-                               "python-2.7-getentropy-on-old-kernels.patch"))
+                               "python-2.7-adjust-tests.patch"))
       (modules '((guix build utils)))
       ;; suboptimal to delete failing tests here, but if we delete them in the
       ;; arguments then we need to make sure to strip out that phase when it
@@ -208,6 +208,7 @@
                                   '("Lib/subprocess.py"
                                     "Lib/popen2.py"
                                     "Lib/distutils/tests/test_spawn.py"
+                                    "Lib/test/support/__init__.py"
                                     "Lib/test/test_subprocess.py"))
                (("/bin/sh") (which "sh")))
 
@@ -333,28 +334,28 @@ data types.")
 ;; Current 2.x version.
 (define-public python-2 python-2.7)
 
-(define-public python-3.5
+(define-public python-3.6
   (package (inherit python-2)
-    (version "3.5.3")
+    (version "3.6.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.python.org/ftp/python/"
                                   version "/Python-" version ".tar.xz"))
               (patches (search-patches
                         "python-fix-tests.patch"
-                        "python-3.5-fix-tests.patch"
-                        "python-3.5-getentropy-on-old-kernels.patch"
+                        "python-3-fix-tests.patch"
                         "python-3-deterministic-build-info.patch"
                         "python-3-search-paths.patch"))
               (patch-flags '("-p0"))
               (sha256
                (base32
-                "1c6v1n9nz4mlx9mw1125fxpmbrgniqdbbx9hnqx44maqazb2mzpf"))
+                "1nl1raaagr4car787a2hmjv2dw6gqny53xfd6wisbgx4r5kxk9yd"))
               (snippet
                '(begin
                   (for-each delete-file
-                            '("Lib/ctypes/test/test_win32.py" ; fails on aarch64
-                              "Lib/test/test_fcntl.py"))
+                            '("Lib/ctypes/test/test_structures.py" ; fails on aarch64
+                              "Lib/ctypes/test/test_win32.py" ; fails on aarch64
+                              "Lib/test/test_fcntl.py")) ; fails on aarch64
                   #t))))
     (arguments (substitute-keyword-arguments (package-arguments python-2)
                  ((#:tests? _) #t)))
@@ -366,7 +367,7 @@ data types.")
                                         "/site-packages"))))))))
 
 ;; Current 3.x version.
-(define-public python-3 python-3.5)
+(define-public python-3 python-3.6)
 
 ;; Current major version.
 (define-public python python-3)
@@ -1003,18 +1004,24 @@ from the Python interpreter, or as a small part of a larger application.")
 (define-public python-six
   (package
     (name "python-six")
-    (version "1.10.0")
+    (version "1.11.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "six" version))
       (sha256
        (base32
-        "0snmb8xffb3vsma0z67i0h0w2g2dy0p3gsgh9gi4i0kgc5l8spqh"))))
+        "1scqzwc51c875z23phj48gircqjgnn3af8zy2izjwmnlxrxsgs3h"))))
     (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (replace 'check
+           (lambda _
+             (zero? (system* "py.test" "-v")))))))
     (native-inputs
      `(("python-py" ,python-py)
-       ("python-pytest" ,python-pytest)))
+       ("python-pytest" ,python-pytest-bootstrap)))
     (home-page "https://pypi.python.org/pypi/six/")
     (synopsis "Python 2 and 3 compatibility utilities")
     (description
@@ -1306,6 +1313,28 @@ bug tracker.")
     (home-page "http://www.liquidx.net/pybugz/")
     (license license:gpl2)))
 
+(define-public python2-enum
+  (package
+    (name "python2-enum")
+    (version "0.4.6")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "enum" version))
+              (sha256
+               (base32
+                "13lk3yrwj42vl30kw3c194f739nrfrdg64s6i0v2p636n4k8brsl"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2))
+    (home-page "http://pypi.python.org/pypi/enum/")
+    (synopsis "Robust enumerated type support in Python")
+    (description
+     "This provides a module for robust enumerations in Python.  It has
+been superseded by the Python standard library and is provided only for
+compatibility.")
+    ;; Choice of either license.
+    (license (list license:gpl3+ license:psfl))))
+
 (define-public python-enum34
   (package
     (name "python-enum34")
@@ -1531,17 +1560,62 @@ matching them against a list of media-ranges.")
      "@code{pafy} is a python library to retrieve YouTube content and metadata.")
     (license license:lgpl3+)))
 
+(define-public python2-funcsigs
+  (package
+    (name "python2-funcsigs")
+    (version "1.0.2")
+    (source (origin
+              (method url-fetch)
+              (uri (pypi-uri "funcsigs" version))
+              (sha256
+               (base32
+                "0l4g5818ffyfmfs1a924811azhjj8ax9xd1cffr1mzd3ycn0zfx7"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:python ,python-2))
+    (native-inputs
+     `(("python2-unittest2" ,python2-unittest2)))
+    (home-page "http://funcsigs.readthedocs.org")
+    (synopsis "Python function signatures from PEP362")
+    (description
+     "Backport of @code{funcsigs} which was introduced in Python 3.3.")
+    (license license:asl2.0)))
+
+(define-public python-pafy
+  (package
+    (name "python-pafy")
+    (version "0.5.3.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "pafy" version))
+       (sha256
+        (base32
+         "1a7dxi95m1043rxx1r5x3ngb66nwlq6aqcasyqqjzmmmjps4zrim"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f)) ; Currently pafy can not find itself in the tests
+    (propagated-inputs
+     ;; Youtube-dl is a python package which is imported in the file
+     ;; "backend_youtube_dl.py", therefore it needs to be propagated.
+     `(("youtube-dl" ,youtube-dl)))
+    (home-page "https://np1.github.io/pafy/")
+    (synopsis "Retrieve YouTube content and metadata")
+    (description
+     "@code{pafy} is a python library to retrieve YouTube content and metadata.")
+    (license license:lgpl3+)))
+
 (define-public python-py
   (package
     (name "python-py")
-    (version "1.4.32")
+    (version "1.4.34")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "py" version))
        (sha256
         (base32
-         "19s1pql9pq85h1qzsdwgyb8a3k1qgkvh33b02m8kfqhizz8rzf64"))))
+         "1qyd5z0hv8ymxy84v5vig3vps2fvhcf4bdlksb3r03h549fmhb8g"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: "ImportError: 'test' module incorrectly imported from
@@ -1678,7 +1752,10 @@ files.")
          "02qkfpykbq35id8glfgwc38yc430427yd05z1wc5cnld8zgicmgi"))))
     (build-system python-build-system)
     (arguments
-     `(#:phases
+     `(;; The tests are fragile, depending on a specific version of pytest:
+       ;; <https://github.com/pallets/click/issues/823>
+       #:tests? #f
+       #:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'fix-paths
            (lambda* (#:key inputs #:allow-other-keys)
@@ -1687,10 +1764,7 @@ files.")
                (substitute* "click/_unicodefun.py"
                  (("'locale'")
                   (string-append "'" glibc "/bin/locale'"))))
-             #t))
-         (replace 'check
-           (lambda _
-             (zero? (system* "make" "test")))))))
+             #t)))))
     (native-inputs
      `(("python-pytest" ,python-pytest)))
     (home-page "http://click.pocoo.org")
@@ -1911,7 +1985,7 @@ somewhat intelligible.")
            #t))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/progrium/pyjwt")
@@ -2073,18 +2147,6 @@ for Python.")
         (base32
          "1zzrkywhziqffrzks14kzixz7nd4yh2vc0fb04a68vfd2ai03anx"))))
     (build-system python-build-system)
-    (arguments
-     `(#:phases
-       (modify-phases %standard-phases
-         ;; These files cannot be built with Python < 3.6.  See
-         ;; https://github.com/pallets/jinja/issues/655
-         ;; FIXME: Remove this when the "python" package is upgraded.
-         (add-after 'unpack 'delete-incompatible-files
-           (lambda _
-             (for-each delete-file
-                       '("jinja2/asyncsupport.py"
-                         "jinja2/asyncfilters.py"))
-             #t)))))
     (propagated-inputs
      `(("python-markupsafe" ,python-markupsafe)))
     (home-page "http://jinja.pocoo.org/")
@@ -2335,7 +2397,7 @@ sources.")
      `(("python-sphinxcontrib-websupport" ,python-sphinxcontrib-websupport)
        ,@(package-propagated-inputs python-sphinx)))
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("imagemagick" ,imagemagick) ; for "convert"
        ,@(package-native-inputs python-sphinx)))
     (properties '())))
@@ -2353,7 +2415,7 @@ sources.")
         (base32
          "0kw1axswbvaavr8ggyf4qr6hnisnrzlbkkcdada69vk1x9xjassg"))))
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ,@(package-native-inputs python-sphinx)))))
 
 (define-public python2-sphinx
@@ -2647,7 +2709,7 @@ between language specification and implementation aspects.")
 (define-public python-numpy
   (package
     (name "python-numpy")
-    (version "1.12.0")
+    (version "1.13.3")
     (source
      (origin
        (method url-fetch)
@@ -2656,7 +2718,7 @@ between language specification and implementation aspects.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "025d4j4aakcp8w5i5diqh812cbbjgac7jszx1j56ivrbi1i8vv7d"))))
+         "1f25rbn6n4ia87spy18iwc76g36d9mimyl27p2lfaalgx897pf8x"))))
     (build-system python-build-system)
     (inputs
      `(("openblas" ,openblas)
@@ -2723,26 +2785,6 @@ capabilities.")
 (define-public python2-numpy
   (package-with-python2 python-numpy))
 
-(define-public python-numpy-next
-  (package (inherit python-numpy)
-    (name "python-numpy-next")
-    (version "1.13.1")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (pypi-uri "numpy" version ".zip"))
-       (sha256
-        (base32
-         "1fsgkhh1vdkhmlz8vmdgxnj9n9yaanckxxzz9s0b4p08fqvjic69"))))
-    (native-inputs
-     `(("unzip" ,unzip)
-       ("python-cython" ,python-cython)
-       ("python-nose" ,python-nose)
-       ("gfortran" ,gfortran)))))
-
-(define-public python2-numpy-next
-  (package-with-python2 python-numpy-next))
-
 ;; NOTE: NumPy 1.8 is packaged only for Python 2 because it is of
 ;; interest only for legacy code going back to NumPy's predecessor
 ;; Numeric.
@@ -4051,7 +4093,7 @@ Python language binding specification.")
     (arguments '(#:tests? #f)) ; Test file 'grako.ebnf' is missing from archive.
     (native-inputs
      `(("unzip" ,unzip)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://bitbucket.org/neogeny/grako")
     (synopsis "EBNF parser generator")
@@ -4109,7 +4151,7 @@ cluster without needing to write any wrapper code yourself.")
         (base32 "0zizn61n5z5hq421hkypk9pw8s6fpxw30f4hsg7k4ivwzy3gjw9j"))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-pytest" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-mock" ,python-mock)
        ("python-tox" ,python-tox)
        ("which" ,which))) ;for tests
@@ -4172,7 +4214,7 @@ displayed.")
          (replace 'check (lambda _ (zero? (system* "nosetests" "-v")))))))
     (native-inputs
      `(("python-nose" ,python-nose)
-       ("python-pytest" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("man-db" ,man-db)
        ("which" ,which)
        ("bash-full" ,bash)))                 ;full Bash for 'test_replwrap.py'
@@ -4193,13 +4235,13 @@ child application and control it as if a human were typing commands.")
 (define-public python-setuptools-scm
   (package
     (name "python-setuptools-scm")
-    (version "1.15.0")
+    (version "1.15.6")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "setuptools_scm" version))
               (sha256
                (base32
-                "0bwyc5markib0i7i2qlyhdzxhiywzxbkfiapldma8m91m82jvwfs"))))
+                "0pzvfmx8s20yrgkgwfbxaspz2x1g38qv61jpm0ns91lrb22ldas9"))))
     (build-system python-build-system)
     (home-page "https://github.com/pypa/setuptools_scm/")
     (synopsis "Manage Python package versions in SCM metadata")
@@ -5252,14 +5294,14 @@ PEP 8.")
 (define-public python-pyflakes
   (package
     (name "python-pyflakes")
-    (version "1.0.0")
+    (version "1.5.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "pyflakes" version))
         (sha256
           (base32
-            "0qs2sgqszq7wcplis8509wk2ygqcrwzbs1ghfj3svvivq2j377pk"))))
+            "1x1pcca4a24k4pw8x1c77sgi58cg1wl2k38mp8a25k608pzls3da"))))
     (build-system python-build-system)
     (home-page
       "https://github.com/pyflakes/pyflakes")
@@ -5274,17 +5316,17 @@ PEP 8.")
 (define-public python-mccabe
   (package
     (name "python-mccabe")
-    (version "0.4.0")
+    (version "0.6.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "mccabe" version))
         (sha256
           (base32
-            "0yr08a36h8lqlif10l4xcikbbig7q8f41gqywir7rrvnv3mi4aws"))))
+            "07w3p1qm44hgxf3vvwz84kswpsx6s7kvaibzrsx5dzm0hli1i3fx"))))
     (build-system python-build-system)
     (native-inputs
-      `(("python-pytest" ,python-pytest)
+      `(("python-pytest" ,python-pytest-bootstrap)
         ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://github.com/flintwork/mccabe")
     (synopsis "McCabe checker, plugin for flake8")
@@ -5357,39 +5399,48 @@ complexity of Python source code.")
 (define-public python-flake8
   (package
     (name "python-flake8")
-    (version "2.5.4")
+    (version "3.4.1")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "flake8" version))
         (sha256
           (base32
-            "0bs9cz4fr99r2rwig1b8jwaadl1nan7kgpdzqwj0bwbckwbmh7nc"))
-        (modules '((guix build utils)))
-        (snippet
-         '(begin
-            ;; Remove pre-compiled .pyc files from source.
-            (for-each delete-file-recursively
-                      (find-files "." "__pycache__" #:directories? #t))
-            (for-each delete-file (find-files "." "\\.pyc$"))
-            #t))))
-    (build-system python-build-system)
-    (propagated-inputs
-      `(("python-pep8" ,python-pep8)
+            "1n0i38592vy3q0x2a9bf8z6rhhn04i30wsn5i5zzcj7qkxvl8062"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (delete 'check)
+         (add-after 'install 'check
+          (lambda* (#:key inputs outputs #:allow-other-keys)
+            (add-installed-pythonpath inputs outputs)
+            (zero? (system* "pytest" "-v")))))))
+    (propagated-inputs
+      `(("python-pycodestyle" ,python-pycodestyle)
         ("python-pyflakes" ,python-pyflakes)
+        ;; flake8 depends on a newer setuptools than provided by python.
+        ("python-setuptools" ,python-setuptools)
         ("python-mccabe" ,python-mccabe)))
     (native-inputs
       `(("python-mock" ,python-mock) ; TODO: only required for < 3.3
-        ("python-nose" ,python-nose)))
+        ("python-pytest" ,python-pytest-bootstrap)
+        ("python-pytest-runner" ,python-pytest-runner)))
     (home-page "https://gitlab.com/pycqa/flake8")
     (synopsis
       "The modular source code checker: pep8, pyflakes and co")
     (description
       "Flake8 is a wrapper around PyFlakes, pep8 and python-mccabe.")
+    (properties `((python2-variant . ,(delay python2-flake8))))
     (license license:expat)))
 
 (define-public python2-flake8
-  (package-with-python2 python-flake8))
+  (let ((base (package-with-python2 (strip-python2-variant python-flake8))))
+    (package (inherit base)
+      (propagated-inputs
+       `(("python2-configparser" ,python2-configparser)
+         ("python2-enum" ,python2-enum)
+          ,@(package-propagated-inputs base))))))
 
 (define-public python-flake8-polyfill
   (package
@@ -7164,6 +7215,10 @@ Python at your fingertips, in Lisp form.")
     (build-system python-build-system)
     (arguments
      `(#:python ,python-2
+       ;; The test suite fails with Python > 2.7.13:
+       ;;     import test.support
+       ;; ImportError: No module named support
+       #:tests? #f
        #:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'patch-/bin/sh
@@ -7171,15 +7226,7 @@ Python at your fingertips, in Lisp form.")
              (substitute* '("subprocess32.py"
                             "test_subprocess32.py")
                (("/bin/sh") (which "sh")))
-             #t))
-         (delete 'check)
-         (add-after 'install 'check
-           (lambda* (#:key inputs outputs #:allow-other-keys)
-             ;; For some reason this package fails to import
-             ;; _posixsubprocess.so when PYTHONPATH is set to the build
-             ;; directory. Running tests after install is easier.
-             (add-installed-pythonpath inputs outputs)
-             (zero? (system* "python" "test_subprocess32.py")))))))
+             #t)))))
     (home-page "https://github.com/google/python-subprocess32")
     (synopsis "Backport of the subprocess module from Python 3.2")
     (description
@@ -9404,8 +9451,8 @@ interface for programs.")
          (base32
           "0rfyxcy4cr3x848vhx876ifalxd5ghq6l5x813m49h4vq2d4jiq8"))))
     (build-system python-build-system)
-    (native-inputs
-     `(("python-pytest" ,python-pytest)))
+    (arguments
+     '(#:tests? #f)) ; The tests are not distributed
     (propagated-inputs
      `(("python-requests" ,python-requests)
        ("python-six" ,python-six)))
@@ -9609,8 +9656,8 @@ to Python.")
          (base32
           "1nv5dxcj59zv31qvl8bd142njmxcmymny2dz3br1l2cpbljbf5i7"))))
     (build-system python-build-system)
-    (native-inputs
-     `(("python-pytest" ,python-pytest)))
+    (arguments
+     '(#:tests? #f)) ; The tests are not distributed
     (propagated-inputs
      `(("python-graphql-core" ,python-graphql-core)
        ("python-promise" ,python-promise)
@@ -11453,7 +11500,7 @@ address is valid and really exists.")
      `(("python-dateutil" ,python-dateutil)
        ("python-simplejson" ,python-simplejson)))
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytz" ,python-pytz)))
     (home-page "https://github.com/marshmallow-code/marshmallow")
     (synopsis "Convert complex datatypes to and from native
@@ -11480,7 +11527,7 @@ complex datatypes to and from native Python datatypes.")
     (propagated-inputs
      `(("python-pyyaml" ,python-pyyaml)))
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-flask" ,python-flask)
        ("python-marshmallow" ,python-marshmallow)
        ("python-tornado" ,python-tornado)
@@ -11533,7 +11580,7 @@ Swagger 2.0).")
        ("python-flake8" ,python-flake8)
        ("python-flask-restful" ,python-flask-restful)
        ("python-flex" ,python-flex)
-       ("python-pytest-3.0" ,python-pytest-3.0)
+       ("python-pytest" ,python-pytest)
        ("python-pytest-cov" ,python-pytest-cov)
        ("python-marshmallow" ,python-marshmallow)
        ("python-apispec" ,python-apispec)))
@@ -11931,7 +11978,7 @@ their files and supports any packaging format (including wheels).")
      `(;; The tests depend on unittest2, and our version is a bit too old.
        #:tests? #f))
     (native-inputs
-     `(("python-pbr" ,python-pbr)))
+     `(("python-pbr" ,python-pbr-minimal)))
     (home-page
       "https://github.com/testing-cabal/linecache2")
     (synopsis "Backports of the linecache module")
@@ -11960,7 +12007,7 @@ lines are read from a single file.")
      `(;; python-traceback2 and python-unittest2 depend on one another.
        #:tests? #f))
     (native-inputs
-     `(("python-pbr" ,python-pbr)))
+     `(("python-pbr" ,python-pbr-minimal)))
     (propagated-inputs
       `(("python-linecache2" ,python-linecache2)))
     (home-page
@@ -12061,7 +12108,7 @@ services.")
          "1nii1sz5jq75ilf18bjnr11l9rz1lvdmyk66bxl7q90qan85yhjj"))))
     (build-system python-build-system)
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)))
+     `(("python-pytest" ,python-pytest)))
     (propagated-inputs
      `(("python-setuptools-scm" ,python-setuptools-scm)))
     (home-page "https://github.com/Changaco/setuptools_scm_git_archive/")
@@ -12119,7 +12166,7 @@ belong to tagged versions.")
      `(#:python ,python-2))
     (native-inputs
      `(("unzip" ,unzip)
-       ("python2-pytest-3.0" ,python2-pytest-3.0)
+       ("python2-pytest" ,python2-pytest)
        ("python2-pytest-runner" ,python2-pytest-runner)))
     (propagated-inputs
      `(("python-fonttools" ,python2-fonttools)
diff --git a/gnu/packages/rdesktop.scm b/gnu/packages/rdesktop.scm
index 65d17de637..1a2d0412d1 100644
--- a/gnu/packages/rdesktop.scm
+++ b/gnu/packages/rdesktop.scm
@@ -112,8 +112,7 @@ to remotely control a user's Windows desktop.")
          ("openssl" ,openssl)))
       (arguments
        `(#:configure-flags
-         (list "-DCMAKE_INSTALL_LIBDIR=lib"
-               "-DCMAKE_BUILD_TYPE=RELEASE"
+         (list "-DCMAKE_BUILD_TYPE=RELEASE"
                "-DWITH_JPEG=ON"
                ,@(if (string-prefix? "x86_64"
                                      (or (%current-target-system)
diff --git a/gnu/packages/readline.scm b/gnu/packages/readline.scm
index 44f4e74d39..4695e9fc71 100644
--- a/gnu/packages/readline.scm
+++ b/gnu/packages/readline.scm
@@ -27,68 +27,77 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
-  #:use-module (guix utils))
+  #:use-module (guix utils)
+  #:use-module (ice-9 format))
+
+(define (patch-url seqno)
+  (format #f "mirror://gnu/readline/readline-7.0-patches/readline70-~3,'0d" seqno))
+
+(define (readline-patch seqno sha256)
+  "Return the origin of Readline patch SEQNO, with expected hash SHA256"
+  (origin
+    (method url-fetch)
+    (uri (patch-url seqno))
+    (sha256 sha256)))
+
+(define-syntax-rule (patch-series (seqno hash) ...)
+  (list (readline-patch seqno (base32 hash))
+        ...))
+
+(define %patch-series-7.0
+  (patch-series
+   (1 "0xm3sxvwmss7ddyfb11n6pgcqd1aglnpy15g143vzcf75snb7hcs")
+   (2 "0n1dxmqsbjgrfxb1hgk5c6lsraw4ncbnzxlsx7m35nym6lncjiw7")
+   (3 "1027kmymniizcy0zbdlrczxfx3clxcdln5yq05q9yzlc6y9slhwy")))
 
 (define-public readline
-  (let ((post-install-phase
-         '(lambda* (#:key outputs #:allow-other-keys)
-            (let* ((out (assoc-ref outputs "out"))
-                   (lib (string-append out "/lib")))
-              ;; Make libraries writable so that `strip' can work.
-              ;; Failing to do that, it bails out with "Permission
-              ;; denied".
-              (for-each (lambda (f) (chmod f #o755))
-                        (find-files lib "\\.so"))
-              (for-each (lambda (f) (chmod f #o644))
-                        (find-files lib "\\.a"))))))
-    (package
-      (name "readline")
-      (version "7.0")
-      (source (origin
-               (method url-fetch)
-               (uri (string-append "mirror://gnu/readline/readline-"
-                                   version ".tar.gz"))
-               (sha256
-                (base32
-                 "0d13sg9ksf982rrrmv5mb6a2p4ys9rvg9r71d6il0vr8hmql63bm"))
-               (patches (search-patches "readline-link-ncurses.patch"))
-               (patch-flags '("-p0"))))
-      (build-system gnu-build-system)
-      (propagated-inputs `(("ncurses" ,ncurses)))
-      (arguments `(#:configure-flags
-                   (list (string-append "LDFLAGS=-Wl,-rpath -Wl,"
-                                        (assoc-ref %build-inputs "ncurses")
-                                        "/lib")
+  (package
+    (name "readline")
+    (version (string-append "7.0."
+                            (number->string (length %patch-series-7.0))))
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://gnu/readline/readline-"
+                                  (version-major+minor version) ".tar.gz"))
+              (sha256
+               (base32
+                "0d13sg9ksf982rrrmv5mb6a2p4ys9rvg9r71d6il0vr8hmql63bm"))
+              (patches (append
+                        %patch-series-7.0
+                        (search-patches "readline-link-ncurses.patch")))
+              (patch-flags '("-p0"))))
+    (build-system gnu-build-system)
+    (propagated-inputs `(("ncurses" ,ncurses)))
+    (arguments `(#:configure-flags
+                 (list (string-append "LDFLAGS=-Wl,-rpath -Wl,"
+                                      (assoc-ref %build-inputs "ncurses")
+                                      "/lib")
 
-                         ;; This test does an 'AC_TRY_RUN', which aborts when
-                         ;; cross-compiling, so provide the correct answer.
-                         ,@(if (%current-target-system)
-                               '("bash_cv_wcwidth_broken=no")
-                               '())
-                         ;; MinGW: ncurses provides the termcap api.
-                         ,@(if (target-mingw?)
-                               '("bash_cv_termcap_lib=ncurses")
-                               '()))
+                       ;; This test does an 'AC_TRY_RUN', which aborts when
+                       ;; cross-compiling, so provide the correct answer.
+                       ,@(if (%current-target-system)
+                             '("bash_cv_wcwidth_broken=no")
+                             '())
+                       ;; MinGW: ncurses provides the termcap api.
+                       ,@(if (target-mingw?)
+                             '("bash_cv_termcap_lib=ncurses")
+                             '()))
 
-                   ,@(if (target-mingw?)
-                         ;; MinGW: termcap in ncurses
-                         ;; some SIG_* #defined in _POSIX
-                         '(#:make-flags '("TERMCAP_LIB=-lncurses"
-                                          "CPPFLAGS=-D_POSIX -D'chown(f,o,g)=0'"))
-                         '())
-                   #:phases (alist-cons-after
-                             'install 'post-install
-                             ,post-install-phase
-                             %standard-phases)))
-      (synopsis "Edit command lines while typing, with history support")
-      (description
-       "The GNU readline library allows users to edit command lines as they
+                 ,@(if (target-mingw?)
+                       ;; MinGW: termcap in ncurses
+                       ;; some SIG_* #defined in _POSIX
+                       '(#:make-flags '("TERMCAP_LIB=-lncurses"
+                                        "CPPFLAGS=-D_POSIX -D'chown(f,o,g)=0'"))
+                       '())))
+    (synopsis "Edit command lines while typing, with history support")
+    (description
+     "The GNU readline library allows users to edit command lines as they
 are typed in.  It can maintain a searchable history of previously entered
 commands, letting you easily recall, edit and re-enter past commands.  It
 features both Emacs-like and vi-like keybindings, making its usage
 comfortable for anyone.")
-      (license gpl3+)
-      (home-page "https://savannah.gnu.org/projects/readline/"))))
+    (license gpl3+)
+    (home-page "https://savannah.gnu.org/projects/readline/")))
 
 (define-public readline-6.2
   (package (inherit readline)
diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm
index ac852f54b8..5d77d5f97b 100644
--- a/gnu/packages/ruby.scm
+++ b/gnu/packages/ruby.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2015, 2016, 2017 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2017 ng0 <ng0@n0.is>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
 ;;;
@@ -51,8 +52,7 @@
 (define-public ruby
   (package
     (name "ruby")
-    (replacement ruby-2.4.3)
-    (version "2.4.2")
+    (version "2.4.3")
     (source
      (origin
        (method url-fetch)
@@ -61,7 +61,7 @@
                            "/ruby-" version ".tar.xz"))
        (sha256
         (base32
-         "0dgp4ypk3smrsbh2c249n5pl6nqhpd2igq9484dbsh81sf08k2kl"))
+         "0l9bv67dgsphk42lmiskhrnh47hbyj6rfg2rcjx22xivpx07srr3"))
        (modules '((guix build utils)))
        (snippet `(begin
                    ;; Remove bundled libffi
@@ -103,26 +103,6 @@ a focus on simplicity and productivity.")
     (home-page "https://www.ruby-lang.org")
     (license license:ruby)))
 
-(define-public ruby-2.4.3
-  (package
-    (inherit ruby)
-    (name "ruby")
-    (version "2.4.3")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
-                           (version-major+minor version)
-                           "/ruby-" version ".tar.xz"))
-       (sha256
-        (base32
-         "0l9bv67dgsphk42lmiskhrnh47hbyj6rfg2rcjx22xivpx07srr3"))
-       (modules '((guix build utils)))
-       (snippet `(begin
-                   ;; Remove bundled libffi
-                   (delete-file-recursively "ext/fiddle/libffi-3.2.1")
-                   #t))))))
-
 (define-public ruby-2.3
   (package
     (inherit ruby)
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 58c7b3f445..6802b7b383 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -123,7 +123,7 @@ be output in text, PostScript, PDF or HTML.")
                 "09pl0w01fr09bsrwd7nz2r5psysj0z93w4chz3hm2havvqqvhg3s"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:disallowed-references (,tzdata-2017a)
+     `(#:disallowed-references (,tzdata-for-tests)
        #:make-flags
        (list (string-append "LDFLAGS=-Wl,-rpath="
                             (assoc-ref %outputs "out")
@@ -248,7 +248,7 @@ be output in text, PostScript, PDF or HTML.")
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("texinfo" ,texinfo) ; for building HTML manuals
-       ("tzdata" ,tzdata-2017a)
+       ("tzdata" ,tzdata-for-tests)
        ("xz" ,xz)))
     (inputs
      `(;; We need not only cairo here, but pango to ensure that tests for the
diff --git a/gnu/packages/tcl.scm b/gnu/packages/tcl.scm
index c8eac41f0a..5310655ce2 100644
--- a/gnu/packages/tcl.scm
+++ b/gnu/packages/tcl.scm
@@ -38,35 +38,32 @@
 (define-public tcl
   (package
     (name "tcl")
-    (version "8.6.6")
+    (version "8.6.7")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/tcl/Tcl/"
                                   version "/tcl" version "-src.tar.gz"))
               (sha256
                (base32
-                "01zypqhy57wvh1ikk28bg733sk5kf4q568pq9v6fvcz4h6bl0rd2"))
-              (patches (search-patches "tcl-mkindex-deterministic.patch"))))
+                "19bb09l55alz4jb38961ikd5116q80s51bjvzqy44ckkwf28ysvw"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:phases (alist-cons-before
-                 'configure 'pre-configure
-                 (lambda _
-                   (chdir "unix"))
-                 (alist-cons-after
-                  'install 'install-private-headers
-                  (lambda* (#:key outputs #:allow-other-keys)
-                    ;; Private headers are needed by Expect.
-                    (and (zero? (system* "make"
-                                         "install-private-headers"))
-                         (let ((bin (string-append (assoc-ref outputs "out")
-                                                   "/bin")))
-                           ;; Create a tclsh -> tclsh8.6 symlink.
-                           ;; Programs such as Ghostscript rely on it.
-                           (with-directory-excursion bin
-                             (symlink (car (find-files "." "tclsh"))
-                                      "tclsh")))))
-                  %standard-phases))
+     '(#:phases (modify-phases %standard-phases
+                  (add-before 'configure 'pre-configure
+                    (lambda _ (chdir "unix") #t))
+                 (add-after 'install 'install-private-headers
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     ;; Private headers are needed by Expect.
+                     (and (zero? (system* "make"
+                                          "install-private-headers"))
+                          (let ((bin (string-append (assoc-ref outputs "out")
+                                                    "/bin")))
+                            ;; Create a tclsh -> tclsh8.6 symlink.
+                            ;; Programs such as Ghostscript rely on it.
+                            (with-directory-excursion bin
+                              (symlink (car (find-files "." "tclsh"))
+                                       "tclsh"))
+                            #t)))))
 
        ;; By default, man pages are put in PREFIX/man, but we want them in
        ;; PREFIX/share/man.  The 'validate-documentation-location' phase is
@@ -137,14 +134,14 @@ X11 GUIs.")
 (define-public tk
   (package
     (name "tk")
-    (version "8.6.6")
+    (version "8.6.7")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/tcl/Tcl/"
                                  version "/tk" version "-src.tar.gz"))
              (sha256
               (base32
-               "17diivcfcwdhp4v5zi6j9nkxncccjqkivhp363c4wx5lf4d3fb6n"))
+               "1aipcf6qmbgi15av8yrpp2hx6vdwr684r6739p8cgdzrajiy4786"))
              (patches (search-patches "tk-find-library.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 8c33023bd0..c7f2f4840f 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012, 2013, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2016 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -30,19 +31,17 @@
   #:use-module (gnu packages ncurses))
 
 (define-public texinfo
-  ;; TODO: Merge with 'texinfo-latest' on the next core-updates.
   (package
     (name "texinfo")
-    (version "6.3")
+    (version "6.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "0fpr9kdjjl6nj2pc50k2zr7134hvqz8bi8pfqa7131a9lpzz6v14"))))
+                "0qjzvbvnv9003xdrcpi3jp7y68j4hq2ciw9frh2hghh698zlnxvp"))))
     (build-system gnu-build-system)
-    (native-inputs `(("procps" ,procps)))  ;one of the tests needs pgrep
     (inputs `(("ncurses" ,ncurses)
               ("perl" ,perl)))
 
@@ -63,19 +62,6 @@ their source and the command-line Info reader.  The emphasis of the language
 is on expressing the content semantically, avoiding physical markup commands.")
     (license gpl3+)))
 
-(define-public texinfo-latest
-  ;; TODO: Turn this into 'texinfo' on the next core-updates cycle.
-  (package (inherit texinfo)
-    (version "6.5")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/texinfo/texinfo-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "0qjzvbvnv9003xdrcpi3jp7y68j4hq2ciw9frh2hghh698zlnxvp"))))
-    (native-inputs '())))
-
 (define-public texinfo-5
   (package (inherit texinfo)
     (version "5.2")
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index bee2d09eb8..a72feb41ed 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -66,7 +66,6 @@
   (package
     (name "libtasn1")
     (version "4.12")
-    (replacement libtasn1/fixed)
     (source
      (origin
       (method url-fetch)
@@ -74,7 +73,8 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))))
+        "0ls7jdq3y5fnrwg0pzhq11m21r8pshac2705bczz6mqjc8pdllv7"))
+      (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (home-page "https://www.gnu.org/software/libtasn1/")
@@ -86,13 +86,6 @@ networking, allowing for formal validation of data according to some
 specifications.")
     (license license:lgpl2.0+)))
 
-(define libtasn1/fixed
-  (package
-    (inherit libtasn1)
-    (source (origin
-              (inherit (package-source libtasn1))
-              (patches (search-patches "libtasn1-CVE-2017-10790.patch"))))))
-
 (define-public asn1c
   (package
     (name "asn1c")
@@ -150,9 +143,6 @@ coordinating the use of PKCS#11 by different components or libraries
 living in the same process.")
     (license license:bsd-3)))
 
-
-;; TODO Add net-tools-for-tests to #:disallowed-references when we can afford
-;; rebuild GnuTLS (i.e. core-updates).
 (define-public gnutls
   (package
     (name "gnutls")
@@ -173,7 +163,9 @@ living in the same process.")
                "15ihq6p0hnnhs8cnjrkj40dmlcaa1jjg8xg0g2ydbnlqs454ixbr"))))
     (build-system gnu-build-system)
     (arguments
-     '(#:configure-flags
+     `(; Ensure we don't keep a reference to this buggy software.
+       #:disallowed-references (,net-tools)
+       #:configure-flags
        (list
              ;; GnuTLS doesn't consult any environment variables to specify
              ;; the location of the system-wide trust store.  Instead it has a
@@ -207,7 +199,7 @@ living in the same process.")
                "debug"
                "doc"))                            ;4.1 MiB of man pages
     (native-inputs
-     `(("net-tools" ,net-tools-for-tests)
+     `(("net-tools" ,net-tools)
        ("pkg-config" ,pkg-config)
        ("which" ,which)))
     (inputs
@@ -254,18 +246,19 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
-   (version "1.0.2l")
-   (replacement openssl-1.0.2n)
+   (version "1.0.2n")
    (source (origin
              (method url-fetch)
-             (uri (list (string-append "ftp://ftp.openssl.org/source/"
+             (uri (list (string-append "https://www.openssl.org/source/openssl-"
+                                       version ".tar.gz")
+                        (string-append "ftp://ftp.openssl.org/source/"
                                        name "-" version ".tar.gz")
                         (string-append "ftp://ftp.openssl.org/source/old/"
                                        (string-trim-right version char-set:letter)
                                        "/" name "-" version ".tar.gz")))
              (sha256
               (base32
-               "037kvpisc6qh5dkppcwbm5bg2q800xh2hma3vghz8xcycmdij1yf"))
+               "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))
              (snippet
               '(begin
                  ;; Remove ELF files.  'substitute*' can't read them.
@@ -382,15 +375,14 @@ required structures.")
                                                      ,version "/misc"))
              #t))))))
    (native-search-paths
-    ;; FIXME: These two variables must designate a single file or directory
-    ;; and are not actually "search paths."  In practice it works OK in user
-    ;; profiles because there's always just one item that matches the
-    ;; specification.
     (list (search-path-specification
            (variable "SSL_CERT_DIR")
+           (separator #f)                        ;single entry
            (files '("etc/ssl/certs")))
           (search-path-specification
            (variable "SSL_CERT_FILE")
+           (file-type 'regular)
+           (separator #f)                        ;single entry
            (files '("etc/ssl/certs/ca-certificates.crt")))))
    (synopsis "SSL/TLS implementation")
    (description
@@ -398,25 +390,6 @@ required structures.")
    (license license:openssl)
    (home-page "https://www.openssl.org/")))
 
-;; Fixes CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, and CVE-2017-3738.
-;; See <https://www.openssl.org/news/cl102.txt>.
-(define-public openssl-1.0.2n
-  (package
-    (inherit openssl)
-    (version "1.0.2n")
-    (source (origin
-              (inherit (package-source openssl))
-              (uri (list (string-append "https://www.openssl.org/source/openssl-"
-                                        version ".tar.gz")
-                         (string-append "ftp://ftp.openssl.org/source/openssl-"
-                                        version ".tar.gz")
-                         (string-append "ftp://ftp.openssl.org/source/old/"
-                                        (string-trim-right version char-set:letter)
-                                        "/openssl-" version ".tar.gz")))
-              (sha256
-               (base32
-                "1zm82pyq5a9jm10q6iv7d3dih3xwjds4x30fqph3k317byvsn2rp"))))))
-
 (define-public openssl-next
   (package
     (inherit openssl)
@@ -554,7 +527,7 @@ netcat implementation that supports TLS.")
                #t))))))
     ;; TODO: Add optional inputs for testing.
     (native-inputs
-     `(("python-mock" ,python-mock-2)
+     `(("python-mock" ,python-mock)
        ;; For documentation
        ("python-sphinx" ,python-sphinx)
        ("python-sphinxcontrib-programoutput" ,python-sphinxcontrib-programoutput)
@@ -604,7 +577,7 @@ netcat implementation that supports TLS.")
     ;; TODO: Add optional inputs for testing.
     (native-inputs
      `(("python-nose" ,python-nose)
-       ("python-mock" ,python-mock-2)
+       ("python-mock" ,python-mock)
        ;; For documentation
        ("python-sphinx" ,python-sphinx)
        ("python-sphinx-rtd-theme" ,python-sphinx-rtd-theme)
@@ -640,14 +613,14 @@ certificates for free.")
 (define-public perl-net-ssleay
   (package
     (name "perl-net-ssleay")
-    (version "1.81")
+    (version "1.82")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://cpan/authors/id/M/MI/MIKEM/"
                                   "Net-SSLeay-" version ".tar.gz"))
               (sha256
                (base32
-                "0z8vya34g88bc41kx955sv7y4niwbbywji8liqbl52v29qbvdjq0"))))
+                "1rf78z1macgmp6mwd7c2xq4yfw6wpf28hfwfz1d5wslqr4cwb5aq"))))
     (build-system perl-build-system)
     (inputs `(("openssl" ,openssl)))
     (arguments
diff --git a/gnu/packages/valgrind.scm b/gnu/packages/valgrind.scm
index 21556a939d..6c06b24c1c 100644
--- a/gnu/packages/valgrind.scm
+++ b/gnu/packages/valgrind.scm
@@ -40,7 +40,8 @@
              (sha256
               (base32
                "0fqc3684grrbxwsic1rc5ryxzxmigzjx9p5vf3lxa37h0gpq0rnp"))
-             (patches (search-patches "valgrind-enable-arm.patch"))))
+             (patches (search-patches "valgrind-enable-arm.patch"
+                                      "valgrind-glibc-compat.patch"))))
     (build-system gnu-build-system)
     (outputs '("doc"                              ;16 MB
                "out"))
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index e646eeec17..9c214b8cf3 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -1491,7 +1491,7 @@ repository\" with git-annex.")
 (define-public fossil
   (package
     (name "fossil")
-    (version "2.2")
+    (version "2.4")
     (source
      (origin
        (method url-fetch)
@@ -1503,11 +1503,9 @@ repository\" with git-annex.")
              (string-append
               "https://www.fossil-scm.org/index.html/uv/"
               "fossil-src-" version ".tar.gz")))
-       (patches (search-patches "fossil-CVE-2017-17459.patch"))
-       (patch-flags '("-p0"))
        (sha256
         (base32
-         "0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv"))))
+         "0add35lk2ac4qg29d7ygj7pskv8lfln33f3kgf6x3548msv9hd6j"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("tcl" ,tcl)                     ;for configuration only
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index e7285e50b5..2311359278 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -536,7 +536,7 @@ libebml is a C++ library to read and write EBML files.")
 (define-public libva
   (package
     (name "libva")
-    (version "1.8.3")
+    (version "2.0.0")
     (source
      (origin
        (method url-fetch)
@@ -548,7 +548,7 @@ libebml is a C++ library to read and write EBML files.")
              (string-append "https://www.freedesktop.org/software/vaapi/releases/"
                             "libva/libva-" version "/libva-" version ".tar.bz2")))
        (sha256
-        (base32 "16xbk0awl7wp0vy0nyjvxk11spbw25mp8kwd9bmhd6x9xffi5vjn"))))
+        (base32 "0cz5i62jnibmnx0i80i9yipq39v16qr6fw461f6hvrh9lbwh21mv"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -2420,7 +2420,7 @@ many codecs and formats supported by libmediainfo.")
 (define-public livemedia-utils
   (package
     (name "livemedia-utils")
-    (version "2017.06.04")
+    (version "2017.10.28")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2428,7 +2428,12 @@ many codecs and formats supported by libmediainfo.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "0xf3vynxqpxpd762zni0jkblnjlgbqxjx99m83m7gqx6zriph271"))))
+                "0f5kxpayqn3yhabqrd2cqlc74i6x2xr01jfkank1lcilxnfyrsnq"))
+              (modules '((guix build utils)))
+              (snippet
+               ;; As of glibc 2.26, <xlocale.h> no longer is.
+               '(substitute* "liveMedia/include/Locale.hh"
+                  (("xlocale\\.h") "locale.h")))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f ; no tests
diff --git a/gnu/packages/vulkan.scm b/gnu/packages/vulkan.scm
new file mode 100644
index 0000000000..dc819017bb
--- /dev/null
+++ b/gnu/packages/vulkan.scm
@@ -0,0 +1,189 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages vulkan)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix packages)
+  #:use-module (guix download)
+  #:use-module (guix git-download)
+  #:use-module (guix build-system cmake)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages bison)
+  #:use-module (gnu packages freedesktop)
+  #:use-module (gnu packages gl)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages python)
+  #:use-module (gnu packages xorg))
+
+(define-public spirv-headers
+  (let ((commit "98b01515724c428d0f0a5d01deffcce0f5f5e61c")
+        (revision "1"))
+    (package
+      (name "spirv-headers")
+      (version (string-append "0.0-" revision "." (string-take commit 9)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/KhronosGroup/SPIRV-Headers")
+               (commit commit)))
+         (sha256
+          (base32
+           "15bknwkv3xwmjs3lmkp282a1wrp0da1b4lp45i4yiav04zmqygj2"))
+         (file-name (string-append name "-" version "-checkout"))))
+      (build-system cmake-build-system)
+      (arguments
+       `(#:tests? #f ;; No tests
+         #:phases (modify-phases %standard-phases
+                    (replace 'install
+                      (lambda* (#:key outputs #:allow-other-keys)
+                        (zero? (system* "cmake" "-E" "copy_directory"
+                                        "../source/include/spirv"
+                                        (string-append (assoc-ref outputs "out")
+                                                       "/include/spirv"))))))))
+      (home-page "https://github.com/KhronosGroup/SPIRV-Headers")
+      (synopsis "Machine-readable files from the SPIR-V Registry")
+      (description
+       "SPIRV-Headers is a repository containing machine-readable files from
+the SPIR-V Registry.  This includes:
+@itemize
+@item Header files for various languages.
+@item JSON files describing the grammar for the SPIR-V core instruction set,
+and for the GLSL.std.450 extended instruction set.
+@item The XML registry file.
+@end itemize\n")
+      (license (license:x11-style
+                (string-append "https://github.com/KhronosGroup/SPIRV-Headers/blob/"
+                               commit "/LICENSE"))))))
+
+(define-public spirv-tools
+  (package
+    (name "spirv-tools")
+    (version "2017.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/KhronosGroup/SPIRV-Tools/archive/v"
+                           version ".tar.gz"))
+       (sha256
+        (base32
+         "009vflaa71a7xhvmm23f4sdbcgdkl1k4facqkwsg6djha2sdpsqq"))
+       (file-name (string-append name "-" version ".tar.gz"))))
+    (build-system cmake-build-system)
+    (arguments
+     `(#:configure-flags (list (string-append "-DCMAKE_INSTALL_LIBDIR="
+                                              (assoc-ref %outputs "out")
+                                              "/lib")
+                               (string-append "-DSPIRV-Headers_SOURCE_DIR="
+                                              (assoc-ref %build-inputs
+                                                         "spirv-headers")))))
+    (inputs `(("spirv-headers" ,spirv-headers)))
+    (native-inputs `(("pkg-config", pkg-config)
+                     ("python" ,python)))
+    (home-page "https://github.com/KhronosGroup/SPIRV-Tools")
+    (synopsis "API and commands for processing SPIR-V modules")
+    (description
+     "The SPIR-V Tools project provides an API and commands for processing
+SPIR-V modules.  The project includes an assembler, binary module parser,
+disassembler, validator, and optimizer for SPIR-V.")
+    (license license:asl2.0)))
+
+(define-public glslang
+  ;; Version 3.0 is too old for vulkan-icd-loader. Use a recent git commit
+  ;; until the next stable version.
+  (let ((commit "471bfed0621162a7513fc24a51e8a1ccc2e640ff")
+        (revision "1"))
+    (package
+      (name "glslang")
+      (version (string-append "3.0-" revision "." (string-take commit 9)))
+      (source
+       (origin
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/KhronosGroup/glslang")
+               (commit commit)))
+         (sha256
+          (base32
+           "0m2vljmrqppp80ghbbwfnayqw2canxlcjhgy6jw9xjdssln0d3pd"))
+         (file-name (string-append name "-" version "-checkout"))))
+      (build-system cmake-build-system)
+      (arguments
+       `(#:tests? #f ;; No tests
+         ;; glslang tries to set CMAKE_INSTALL_PREFIX manually. Remove the
+         ;; offending line.
+         #:phases (modify-phases %standard-phases
+                    (add-after 'patch-source-shebangs 'fix-cmakelists
+                      (lambda _
+                        (substitute* "CMakeLists.txt"
+                          (("set.*CMAKE_INSTALL_PREFIX.*") ""))
+                        #t)))))
+      (native-inputs `(("bison" ,bison)
+                       ("pkg-config" ,pkg-config)))
+      (home-page "https://github.com/KhronosGroup/glslang")
+      (synopsis "OpenGL and OpenGL ES shader front end and validator")
+      (description
+       "Glslang is the official reference compiler front end for the
+OpenGL@tie{}ES and OpenGL shading languages.  It implements a strict
+interpretation of the specifications for these languages.")
+      ;; Modified BSD license. See "copyright" section of
+      ;; https://www.khronos.org/opengles/sdk/tools/Reference-Compiler/
+      (license (list license:bsd-3
+                     ;; include/SPIRV/{bitutils,hex_float}.h are Apache 2.0.
+                     license:asl2.0)))))
+
+(define-public vulkan-icd-loader
+  (package
+    (name "vulkan-icd-loader")
+    (version "1.0.61.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://github.com/KhronosGroup/Vulkan-LoaderAndValidationLayers/"
+             "archive/sdk-" version ".tar.gz"))
+       (sha256
+        (base32
+         "05g60hk30sbc4rwkh7nrgqdk6hfsi4hwxs54yrysrzr18xpfb8j7"))))
+    (build-system cmake-build-system)
+    (arguments
+     `(#:tests? #f ;FIXME: 23/39 tests fail.  Try "tests/run_all_tests.sh".
+       #:configure-flags (list (string-append "-DCMAKE_INSTALL_LIBDIR="
+                                              (assoc-ref %outputs "out") "/lib"))))
+    (inputs `(("glslang" ,glslang)
+              ("libxcb" ,libxcb)
+              ("libx11" ,libx11)
+              ("libxrandr" ,libxrandr)
+              ("mesa" ,mesa)
+              ("spirv-tools" ,spirv-tools)
+              ("wayland" ,wayland)))
+    (native-inputs `(("pkg-config", pkg-config)
+                     ("python" ,python)))
+    (home-page
+     "https://github.com/KhronosGroup/Vulkan-LoaderAndValidationLayers")
+    (synopsis "Khronos official ICD loader and validation layers for Vulkan")
+    (description
+     "Vulkan allows multiple @dfn{Installable Client Drivers} (ICDs) each
+supporting one or more devices to be used collectively.  The loader is
+responsible for discovering available Vulkan ICDs on the system and inserting
+Vulkan layer libraries, including validation layers between the application
+and the ICD.")
+    ;; This software is mainly Apache 2.0 licensed, but contains some components
+    ;; covered by other licenses.  See COPYRIGHT.txt for details.
+    (license (list license:asl2.0       ;LICENSE.txt
+                   (license:x11-style "file://COPYRIGHT.txt")
+                   license:bsd-3))))
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index f67f415d2f..10757cb546 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -5244,7 +5244,7 @@ command-line arguments or read from stdin.")
        ("python-schema" ,python-schema-0.5)
        ("python-backports-csv" ,python-backports-csv)))
     (native-inputs
-     `(("python-pytest-3.0" ,python-pytest-3.0)
+     `(("python-pytest" ,python-pytest)
        ("python-pytest-capturelog" ,python-pytest-capturelog)
        ("python-responses" ,python-responses)))
     (home-page "https://github.com/jjjake/internetarchive")
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index c81e5ad01f..8c9ef7adfa 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -319,7 +319,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.83")
+    (version "2.4.89")
     (source
       (origin
         (method url-fetch)
@@ -329,7 +329,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
          (base32
-          "1minzvsyz5hgm6ixpj8ysa6jsv7vm8qc8nx390jxdsk0v9ljd983"))
+          "0bm06vqqjbb06mlz2f2h4man0xp0dz928pyycs8q1d5vma19g7v2"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (arguments
@@ -1124,7 +1124,7 @@ connectivity of the X server running on a particular @code{DISPLAY}.")
        ("xcb-util-wm" ,xcb-util-wm)))
     (native-inputs
      `(("bison" ,bison)
-       ("check" ,check-0.11.0)
+       ("check" ,check)
        ("flex" ,flex)
        ("pkg-config" ,pkg-config)))
     (arguments
diff --git a/gnu/packages/xiph.scm b/gnu/packages/xiph.scm
index 4097a740c4..3a9b989486 100644
--- a/gnu/packages/xiph.scm
+++ b/gnu/packages/xiph.scm
@@ -80,12 +80,13 @@ periodic timestamps for seeking.")
 (define libvorbis
   (package
    (name "libvorbis")
-   (replacement libvorbis/fixed)
    (version "1.3.5")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://downloads.xiph.org/releases/vorbis/"
                                 "libvorbis-" version ".tar.xz"))
+            (patches (search-patches "libvorbis-CVE-2017-14633.patch"
+                                     "libvorbis-CVE-2017-14632.patch"))
             (sha256
              (base32
               "1lg1n3a6r41492r7in0fpvzc7909mc5ir9z0gd3qh2pz4yalmyal"))))
@@ -104,14 +105,6 @@ polyphonic) audio and music at fixed and variable bitrates from 16 to
                                "See COPYING in the distribution."))
    (home-page "https://xiph.org/vorbis/")))
 
-(define libvorbis/fixed
-  (package
-    (inherit libvorbis)
-    (source (origin
-              (inherit (package-source libvorbis))
-              (patches (search-patches "libvorbis-CVE-2017-14633.patch"
-                                       "libvorbis-CVE-2017-14632.patch"))))))
-
 (define libtheora
   (package
     (name "libtheora")
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 78ead8827c..03bb7cef7e 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1,11 +1,11 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
@@ -59,17 +59,16 @@
 (define-public expat
   (package
     (name "expat")
-    (version "2.2.1")
-    (replacement expat-2.2.4)
+    (version "2.2.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
                                  version "/expat-" version ".tar.bz2"))
              (sha256
               (base32
-               "11c8jy1wvllvlk7xdc5cm8hdhg0hvs8j0aqy6s702an8wkdcls0q"))))
+               "1xpd78sp7m34jqrw5x13bz7kgz0n6aj15wn4zj4gfx3ypbpk5p6r"))))
     (build-system gnu-build-system)
-    (home-page "http://www.libexpat.org/")
+    (home-page "https://libexpat.github.io/")
     (synopsis "Stream-oriented XML parser library written in C")
     (description
      "Expat is an XML parser library written in C.  It is a
@@ -77,18 +76,6 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
-(define expat-2.2.4  ; Fix CVE-{2016-9063,2017-9233,2017-11742} & other issues.
-  (package
-    (inherit expat)
-    (version "2.2.4")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/expat/expat/"
-                                 version "/expat-" version ".tar.bz2"))
-             (sha256
-              (base32
-               "17h1fb9zvqvf0sr78j211bngc6jpql5wzar8fg9b52jzjvdqbb83"))))))
-
 (define-public libebml
   (package
     (name "libebml")
@@ -113,17 +100,14 @@ hierarchical form with variable field lengths.")
 (define-public libxml2
   (package
     (name "libxml2")
-    (version "2.9.4")
-    (replacement libxml2/fixed)
+    (version "2.9.7")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
                                  version ".tar.gz"))
-             (patches (search-patches "libxml2-CVE-2016-4658.patch"
-                                      "libxml2-CVE-2016-5131.patch"))
              (sha256
               (base32
-               "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
+               "034hylzspvkm0p4bczqbf8q05a7r2disr8dz725x4bin61ymwg7n"))))
     (build-system gnu-build-system)
     (home-page "http://www.xmlsoft.org/")
     (synopsis "C parser for XML")
@@ -143,21 +127,6 @@ hierarchical form with variable field lengths.")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
-(define libxml2/fixed
-  (package
-    (inherit libxml2)
-    (source
-     (origin
-       (inherit (package-source libxml2))
-       (patches
-        (append (origin-patches (package-source libxml2))
-        (search-patches "libxml2-CVE-2017-0663.patch"
-                        "libxml2-CVE-2017-7375.patch"
-                        "libxml2-CVE-2017-7376.patch"
-                        "libxml2-CVE-2017-9047+CVE-2017-9048.patch"
-                        "libxml2-CVE-2017-9049+CVE-2017-9050.patch"
-                        "libxml2-CVE-2017-15412.patch")))))))
-
 (define-public python-libxml2
   (package/inherit libxml2
     (name "python-libxml2")
@@ -190,19 +159,14 @@ project (but it is usable outside of the Gnome platform).")
 (define-public libxslt
   (package
     (name "libxslt")
-    (replacement libxslt/fixed)
-    (version "1.1.29")
+    (version "1.1.32")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxslt/libxslt-"
                                  version ".tar.gz"))
-             ;; XXX Oops, the patches field is redefined below, which means the
-             ;; patch for CVE-2016-4738 was not used. Fixed in the definition of
-             ;; libxslt/fixed below.
-             ;(patches (search-patches "libxslt-CVE-2016-4738.patch"))
              (sha256
               (base32
-               "1klh81xbm9ppzgqk339097i39b7fnpmlj8lzn8bpczl3aww6x5xm"))
+               "0q2l6m56iv3ysxgm2walhg4c9wp7q183jb328687i9zlp85csvjj"))
              (patches (search-patches "libxslt-generated-ids.patch"))))
     (build-system gnu-build-system)
     (home-page "http://xmlsoft.org/XSLT/index.html")
@@ -942,14 +906,14 @@ XSL-T processor.  It also performs any necessary post-processing.")
 (define-public xmlsec
   (package
     (name "xmlsec")
-    (version "1.2.20")
+    (version "1.2.25")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://www.aleksey.com/xmlsec/download/"
                                  name "1-" version ".tar.gz"))
              (sha256
               (base32
-               "01bkbv2y3x8d1sf4dcln1x3y2jyj391s3208d9a2ndhglly5j89j"))))
+               "1lpwj8dxwhha54sby0v5axjk79h56jnhjjiwiasbbk15vwzahz4n"))))
     (build-system gnu-build-system)
     (propagated-inputs ; according to xmlsec1.pc
      `(("libxml2" ,libxml2)
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 411fbf17ef..7e80e411dd 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -1109,7 +1109,7 @@ themselves.")
 (define-public libpciaccess
   (package
     (name "libpciaccess")
-    (version "0.13.5")
+    (version "0.14")
     (source
       (origin
         (method url-fetch)
@@ -1119,7 +1119,7 @@ themselves.")
                ".tar.bz2"))
         (sha256
           (base32
-            "16dr80rdw5bzdyhahvilfjrflj7scs2yl2mmghsb84f3nglm8b3m"))))
+            "197jbcpvp4z4x6j705mq2y4fsnnypy6f85y8xalgwhgx5bhl7x9x"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Make sure libpciaccess can read compressed 'pci.ids' files as
@@ -3821,7 +3821,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.21")
+    (version "2.22")
     (source
       (origin
         (method url-fetch)
@@ -3831,7 +3831,7 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "1iffxpchy6dfgbby23nfsqqk17h9lfddlmjnhwagqag1z94p1h9h"))))
+            "1garmbyfjp0han04l2l90zzwlfbdgdxl6r1qnic36i5wkycckbny"))))
     (build-system gnu-build-system)
     (inputs
       `(("gettext" ,gettext-minimal)
@@ -4892,32 +4892,14 @@ new API's in libXft, or the legacy API's in libX11.")
 (define-public libxfont2
   (package
     (inherit libxfont)
-    (version "2.0.1")
-    (replacement libxfont2-2.0.3)
+    (version "2.0.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
                                   version ".tar.bz2"))
               (sha256
                (base32
-                "0znvwk36nhmyqpmhbm9mzisgixp1mp5qkfald8x1n5yxbm3vpyz9"))))))
-
-;; Fixes the following security vulnerabilities:
-;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13720
-;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13722
-;; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612
-(define-public libxfont2-2.0.3
-  (package
-    (inherit libxfont2)
-    (version "2.0.3")
-    (source
-     (origin
-       (inherit (package-source libxfont2))
-       (uri (string-append "mirror://xorg/individual/lib/libXfont2-"
-                           version ".tar.bz2"))
-       (sha256
-        (base32
-         "0klwmimmhm3axpj8pwn5l41lbggh47r5aazhw63zxkbwfgyvg2hf"))))))
+                "0klwmimmhm3axpj8pwn5l41lbggh47r5aazhw63zxkbwfgyvg2hf"))))))
 
 (define-public libxi
   (package
@@ -5315,8 +5297,7 @@ draggable titlebars and borders.")
 (define-public libxcursor
   (package
     (name "libxcursor")
-    (version "1.1.14")
-    (replacement libxcursor-1.1.15)
+    (version "1.1.15")
     (source
       (origin
         (method url-fetch)
@@ -5326,7 +5307,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1prkdicl5y5yx32h1azh6gjfbijvjp415javv8dsakd13jrarilv"))))
+            "0syzlfvh29037p0vnlc8f3jxz8nl55k65blswsakklkwsc6nfki9"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("libx11" ,libx11)
@@ -5349,19 +5330,6 @@ draggable titlebars and borders.")
     (description "Xorg Cursor management library.")
     (license license:x11)))
 
-;; For CVE-2017-16612.
-(define-public libxcursor-1.1.15
-  (package
-    (inherit libxcursor)
-    (version "1.1.15")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://xorg/individual/lib/libXcursor-"
-                                  version ".tar.bz2"))
-              (sha256
-               (base32
-                "0syzlfvh29037p0vnlc8f3jxz8nl55k65blswsakklkwsc6nfki9"))))))
-
 (define-public libxt
   (package
     (name "libxt")
diff --git a/gnu/system.scm b/gnu/system.scm
index 39452304ba..71beee8259 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -516,7 +516,7 @@ explicitly appear in OS."
 
          ;; wireless-tools is deprecated in favor of iw, but it's still what
          ;; many people are familiar with, so keep it around.
-         iw wireless-tools rfkill
+         iw wireless-tools
 
          iproute
          net-tools                        ; XXX: remove when Inetutils suffices
diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm
index 2b8412cdd5..119f7e4d0b 100644
--- a/gnu/system/shadow.scm
+++ b/gnu/system/shadow.scm
@@ -197,10 +197,14 @@ set auto-load safe-path /gnu/store/*/lib\n")))
       (".zlogin" ,zlogin)
       (".Xdefaults" ,xdefaults)
       (".guile" ,(plain-file "dot-guile"
-                             (string-append
-                              "(use-modules (ice-9 readline))\n\n"
-                              ";; Enable completion at the REPL.\n"
-                              "(activate-readline)\n")))
+                             "(cond ((false-if-exception (resolve-interface '(ice-9 readline)))
+       =>
+       (lambda (module)
+         ;; Enable completion and input history at the REPL.
+         ((module-ref module 'activate-readline))))
+      (else
+       (display \"Consider installing the 'guile-readline' package for
+convenient interactive line editing and input history.\\n\\n\")))\n"))
       (".guile-wm" ,guile-wm)
       (".gdbinit" ,gdbinit))))