summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk11
-rw-r--r--gnu/packages/backup.scm18
-rw-r--r--gnu/packages/base.scm215
-rw-r--r--gnu/packages/bootstrap.scm2
-rw-r--r--gnu/packages/check.scm8
-rw-r--r--gnu/packages/cmake.scm5
-rw-r--r--gnu/packages/commencement.scm42
-rw-r--r--gnu/packages/compression.scm6
-rw-r--r--gnu/packages/cross-base.scm26
-rw-r--r--gnu/packages/cups.scm25
-rw-r--r--gnu/packages/databases.scm25
-rw-r--r--gnu/packages/ed.scm16
-rw-r--r--gnu/packages/emacs.scm8
-rw-r--r--gnu/packages/fonts.scm4
-rw-r--r--gnu/packages/fontutils.scm8
-rw-r--r--gnu/packages/gcc.scm6
-rw-r--r--gnu/packages/gettext.scm4
-rw-r--r--gnu/packages/ghostscript.scm20
-rw-r--r--gnu/packages/gnupg.scm9
-rw-r--r--gnu/packages/guile.scm3
-rw-r--r--gnu/packages/hurd.scm87
-rw-r--r--gnu/packages/ld-wrapper.in6
-rw-r--r--gnu/packages/linux.scm46
-rw-r--r--gnu/packages/mail.scm5
-rw-r--r--gnu/packages/make-bootstrap.scm4
-rw-r--r--gnu/packages/multiprecision.scm4
-rw-r--r--gnu/packages/netpbm.scm95
-rw-r--r--gnu/packages/openldap.scm26
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283-refix.patch27
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283.patch89
-rw-r--r--gnu/packages/patches/glibc-CVE-2015-7547.patch559
-rw-r--r--gnu/packages/patches/glibc-hurd-extern-inline.patch35
-rw-r--r--gnu/packages/patches/glibc-locale-incompatibility.patch23
-rw-r--r--gnu/packages/patches/libarchive-CVE-2013-0211.patch21
-rw-r--r--gnu/packages/patches/libarchive-CVE-2016-1541.patch67
-rw-r--r--gnu/packages/patches/libarchive-bsdtar-test.patch74
-rw-r--r--gnu/packages/patches/libarchive-fix-lzo-test-case.patch83
-rw-r--r--gnu/packages/patches/libarchive-mtree-filename-length-fix.patch18
-rw-r--r--gnu/packages/patches/libpthread-glibc-preparation.patch146
-rw-r--r--gnu/packages/patches/libxslt-generated-ids.patch173
-rw-r--r--gnu/packages/patches/libxslt-remove-date-timestamps.patch66
-rw-r--r--gnu/packages/patches/procps-non-linux.patch40
-rw-r--r--gnu/packages/patches/tar-d_ino_in_dirent-fix.patch33
-rw-r--r--gnu/packages/pcre.scm19
-rw-r--r--gnu/packages/pdf.scm46
-rw-r--r--gnu/packages/perl.scm39
-rw-r--r--gnu/packages/python.scm113
-rw-r--r--gnu/packages/scheme.scm164
-rw-r--r--gnu/packages/texinfo.scm20
-rw-r--r--gnu/packages/tls.scm85
-rw-r--r--gnu/packages/video.scm6
-rw-r--r--gnu/packages/xdisorg.scm4
-rw-r--r--gnu/packages/xml.scm47
-rw-r--r--gnu/packages/xorg.scm25
-rw-r--r--gnu/system/shadow.scm23
55 files changed, 1041 insertions, 1738 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 73aef0aa8e..15c5138679 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -481,7 +481,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/eudev-rules-directory.patch		\
   %D%/packages/patches/evilwm-lost-focus-bug.patch		\
   %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch	\
-  %D%/packages/patches/expat-CVE-2015-1283.patch		\
   %D%/packages/patches/expat-CVE-2015-1283-refix.patch		\
   %D%/packages/patches/expat-CVE-2016-0718.patch		\
   %D%/packages/patches/fastcap-mulGlobal.patch			\
@@ -512,12 +511,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghostscript-runpath.patch		\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-tests-timer.patch			\
-  %D%/packages/patches/glibc-CVE-2015-7547.patch		\
   %D%/packages/patches/glibc-bootstrap-system.patch		\
-  %D%/packages/patches/glibc-hurd-extern-inline.patch		\
   %D%/packages/patches/glibc-ldd-x86_64.patch			\
   %D%/packages/patches/glibc-locales.patch			\
-  %D%/packages/patches/glibc-locale-incompatibility.patch	\
   %D%/packages/patches/glibc-o-largefile.patch			\
   %D%/packages/patches/glibc-versioned-locpath.patch		\
   %D%/packages/patches/gmp-arm-asm-nothumb.patch		\
@@ -595,11 +591,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-link-with-libm.patch		\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
-  %D%/packages/patches/libarchive-bsdtar-test.patch		\
-  %D%/packages/patches/libarchive-CVE-2013-0211.patch		\
-  %D%/packages/patches/libarchive-CVE-2016-1541.patch		\
-  %D%/packages/patches/libarchive-fix-lzo-test-case.patch	\
-  %D%/packages/patches/libarchive-mtree-filename-length-fix.patch \
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcmis-fix-test-onedrive.patch		\
@@ -637,7 +628,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
   %D%/packages/patches/libxslt-CVE-2015-7995.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
-  %D%/packages/patches/libpthread-glibc-preparation.patch	\
   %D%/packages/patches/lm-sensors-hwmon-attrs.patch		\
   %D%/packages/patches/lua-CVE-2014-5461.patch                      \
   %D%/packages/patches/lua-pkgconfig.patch                      \
@@ -770,7 +760,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/t1lib-CVE-2010-2642.patch		\
   %D%/packages/patches/t1lib-CVE-2011-0764.patch		\
   %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch		\
-  %D%/packages/patches/tar-d_ino_in_dirent-fix.patch		\
   %D%/packages/patches/tar-skip-unreliable-tests.patch		\
   %D%/packages/patches/tcl-mkindex-deterministic.patch		\
   %D%/packages/patches/tclxml-3.2-install.patch			\
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index cb47ef36cb..a0ff535dfe 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -136,8 +136,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (replacement libarchive/fixed)
-    (version "3.1.2")
+    (version "3.2.0")
     (source
      (origin
        (method url-fetch)
@@ -145,12 +144,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
                            version ".tar.gz"))
        (sha256
         (base32
-         "0pixqnrcf35dnqgv0lp7qlcw7k13620qkhgxr288v7p4iz6ym1zb"))
-       (patches
-        (search-patches "libarchive-mtree-filename-length-fix.patch"
-                        "libarchive-fix-lzo-test-case.patch"
-                        "libarchive-CVE-2013-0211.patch"
-                        "libarchive-bsdtar-test.patch"))))
+         "11xabdpmvdmcdkidigmqh4ymhra95lr7ipcys4hdq0gzf7ylbkkv"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
@@ -194,14 +188,6 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
-(define libarchive/fixed
-  (package
-    (inherit libarchive)
-    (source (origin
-              (inherit (package-source libarchive))
-              (patches (cons (search-patch "libarchive-CVE-2016-1541.patch")
-                             (origin-patches (package-source libarchive))))))))
-
 (define-public rdup
   (package
     (name "rdup")
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b5e229e06c..422424cbe8 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -44,7 +44,9 @@
   #:use-module (guix download)
   #:use-module (guix git-download)
   #:use-module (guix build-system gnu)
-  #:use-module (guix build-system trivial))
+  #:use-module (guix build-system trivial)
+  #:use-module (ice-9 match)
+  #:export (glibc))
 
 ;;; Commentary:
 ;;;
@@ -75,14 +77,14 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "2.22")
+   (version "2.25")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1srn321x7whlhs5ks36zlcrrmj4iahll8fxwsh1vbz3v04px54fa"))
+              "0c38b67cnwchwzv4wq2gpz6smkhdxrac2hhssv8f0l04qnx867p2"))
             (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
@@ -137,17 +139,34 @@ implementation offers several extensions over the standard utility.")
 (define-public tar
   (package
    (name "tar")
-   (version "1.28")
+   (version "1.29")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/tar/tar-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1wi2zwm4c9r3h3b8y4w0nm0qq897kn8kyj9k22ba0iqvxj48vvk4"))
-            (patches (search-patches "tar-d_ino_in_dirent-fix.patch"
-                                     "tar-skip-unreliable-tests.patch"))))
+              "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
+            (patches (search-patches "tar-skip-unreliable-tests.patch"))))
    (build-system gnu-build-system)
+   ;; Note: test suite requires ~1GiB of disk space.
+   (arguments
+    '(#:phases (modify-phases %standard-phases
+                 (add-before 'build 'set-shell-file-name
+                   (lambda* (#:key inputs #:allow-other-keys)
+                     ;; Do not use "/bin/sh" to run programs.
+                     (let ((bash (assoc-ref inputs "bash")))
+                       (substitute* "src/system.c"
+                         (("/bin/sh")
+                          (string-append bash "/bin/sh")))
+                       #t))))))
+
+   ;; When cross-compiling, the 'set-shell-file-name' phase needs to be able
+   ;; to refer to the target Bash.
+   (inputs (if (%current-target-system)
+               `(("bash" ,bash))
+               '()))
+
    (synopsis "Managing tar archives")
    (description
     "Tar provides the ability to create tar archives, as well as the
@@ -243,23 +262,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.24")
+   (version "8.25")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0w11jw3fb5sslf0f72kxy7llxgk1ia3a6bcw0c9kmvxrlj355mx2"))
-            (patches
-             (list (origin
-                     (method url-fetch)
-                     (uri "http://git.savannah.gnu.org/cgit/coreutils.git/\
-patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0")
-                     (sha256
-                      (base32
-                       "1dnlszhc8lihhg801i9sz896mlrgfsjfcz62636prb27k5hmixqz"))
-                     (file-name "coreutils-tail-inotify-race.patch"))))))
+              "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -315,14 +325,14 @@ functionality beyond that which is outlined in the POSIX standard.")
 (define-public gnu-make
   (package
    (name "make")
-   (version "4.1")
+   (version "4.2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/make/make-" version
                                 ".tar.bz2"))
             (sha256
              (base32
-              "19gwwhik3wdwn0r42b7xcihkbxvjl9r2bdal8nifc3k5i4rn3iqb"))
+              "0pv5rvz5pp4njxiz3syf786d2xp4j7gzddwjvgw5zmz55yvf6p2f"))
             (patches (search-patches "make-impure-dirs.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("pkg-config" ,pkg-config)))  ; to detect Guile
@@ -463,17 +473,17 @@ store.")
 
 (export make-ld-wrapper)
 
-(define-public glibc
+(define-public glibc/linux
   (package
    (name "glibc")
-   (version "2.22")
+   (version "2.23")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
+              "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -482,17 +492,14 @@ store.")
                 (("use_ldconfig=yes")
                  "use_ldconfig=no")))
             (modules '((guix build utils)))
-            (patches
-             (search-patches "glibc-ldd-x86_64.patch"
-                             "glibc-locale-incompatibility.patch"
-                             "glibc-versioned-locpath.patch"
-                             "glibc-o-largefile.patch"
-                             "glibc-CVE-2015-7547.patch"))))
+            (patches (search-patches "glibc-ldd-x86_64.patch"
+                                     "glibc-versioned-locpath.patch"
+                                     "glibc-o-largefile.patch"))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
    ;; users should automatically pull Linux headers as well.
-   (propagated-inputs `(("linux-headers" ,linux-libre-headers)))
+   (propagated-inputs `(("kernel-headers" ,linux-libre-headers)))
 
    (outputs '("out" "debug"))
 
@@ -504,7 +511,7 @@ store.")
       #:parallel-build? #f
 
       ;; The libraries have an empty RUNPATH, but some, such as the versioned
-      ;; libraries (libdl-2.22.so, etc.) have ld.so marked as NEEDED.  Since
+      ;; libraries (libdl-2.23.so, etc.) have ld.so marked as NEEDED.  Since
       ;; these libraries are always going to be found anyway, just skip
       ;; RUNPATH checks.
       #:validate-runpath? #f
@@ -535,7 +542,7 @@ store.")
                            (assoc-ref ,(if (%current-target-system)
                                            '%build-target-inputs
                                            '%build-inputs)
-                                      "linux-headers")
+                                      "kernel-headers")
                            "/include")
 
             ;; This is the default for most architectures as of GNU libc 2.21,
@@ -549,7 +556,7 @@ store.")
                            "/bin/bash")
 
             ;; XXX: Work around "undefined reference to `__stack_chk_guard'".
-            "libc_cv_ssp=no")
+            "libc_cv_ssp=no" "libc_cv_ssp_strong=no")
 
       #:tests? #f                                 ; XXX
       #:phases (modify-phases %standard-phases
@@ -563,10 +570,6 @@ store.")
                            ;; but cross-base uses it as a native input.
                            (bash (or (assoc-ref inputs "static-bash")
                                      (assoc-ref native-inputs "static-bash"))))
-                      ;; Use `pwd', not `/bin/pwd'.
-                      (substitute* "configure"
-                        (("/bin/pwd") "pwd"))
-
                       ;; Install the rpc data base file under `$out/etc/rpc'.
                       ;; FIXME: Use installFlags = [ "sysconfdir=$(out)/etc" ];
                       (substitute* "sunrpc/Makefile"
@@ -647,6 +650,75 @@ with the Linux kernel.")
    (license lgpl2.0+)
    (home-page "http://www.gnu.org/software/libc/")))
 
+(define-public glibc/hurd
+  ;; The Hurd's libc variant.
+  (package (inherit glibc/linux)
+    (name "glibc-hurd")
+    (version "2.19")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "http://alpha.gnu.org/gnu/hurd/glibc-"
+                                  version "-hurd+libpthread-20160518" ".tar.gz"))
+              (sha256
+               (base32
+                "12zmdjviybpsdb2kq4cg98rds7909f0cc96fzdahdfrzlxx1q0px"))))
+
+    ;; Libc provides <hurd.h>, which includes a bunch of Hurd and Mach headers,
+    ;; so both should be propagated.
+    (propagated-inputs `(("hurd-core-headers" ,hurd-core-headers)))
+    (native-inputs
+     `(,@(package-native-inputs glibc/linux)
+       ("mig" ,mig)
+       ("perl" ,perl)))
+
+    (arguments
+     (substitute-keyword-arguments (package-arguments glibc/linux)
+       ((#:phases original-phases)
+        ;; Add libmachuser.so and libhurduser.so to libc.so's search path.
+        ;; See <http://lists.gnu.org/archive/html/bug-hurd/2015-07/msg00051.html>.
+        `(alist-cons-after
+          'install 'augment-libc.so
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let* ((out (assoc-ref outputs "out")))
+              (substitute* (string-append out "/lib/libc.so")
+                (("/[^ ]+/lib/libc.so.0.3")
+                 (string-append out "/lib/libc.so.0.3" " libmachuser.so" " libhurduser.so"))))
+            #t)
+          (alist-cons-after
+           'pre-configure 'pre-configure-set-pwd
+           (lambda _
+             ;; Use the right 'pwd'.
+             (substitute* "configure"
+               (("/bin/pwd") "pwd")))
+          ,original-phases)))
+        ((#:configure-flags original-configure-flags)
+        `(append (list "--host=i586-pc-gnu"
+
+                       ;; We need this to get a working openpty() function.
+                       "--enable-pt_chown"
+
+                       ;; nscd fails to build for GNU/Hurd:
+                       ;; <https://lists.gnu.org/archive/html/bug-hurd/2014-07/msg00006.html>.
+                       ;; Disable it.
+                       "--disable-nscd")
+                 (filter (lambda (flag)
+                           (not (string-prefix? "--enable-kernel=" flag)))
+                         ,original-configure-flags)))))
+    (synopsis "The GNU C Library (GNU Hurd variant)")
+    (supported-systems %hurd-systems)))
+
+(define* (glibc-for-target #:optional
+                           (target (or (%current-target-system)
+                                       (%current-system))))
+  "Return the glibc for TARGET, GLIBC/LINUX for a Linux host or
+GLIBC/HURD for a Hurd host"
+  (match target
+    ((or "i586-pc-gnu" "i586-gnu") glibc/hurd)
+    (_ glibc/linux)))
+
+(define-syntax glibc
+  (identifier-syntax (glibc-for-target)))
+
 (define-public glibc-2.21
   ;; The old libc, which we use mostly to build locale data in the old format
   ;; (which the new libc can cope with.)
@@ -766,73 +838,6 @@ variety of options.  It is an alternative to the shell \"type\" built-in
 command.")
     (license gpl3+))) ; some files are under GPLv2+
 
-(define-public glibc/hurd
-  ;; The Hurd's libc variant.
-  (package (inherit glibc)
-    (name "glibc-hurd")
-    (version "2.18")
-    (source (origin
-              (method git-fetch)
-              (uri (git-reference
-                    (url "git://git.sv.gnu.org/hurd/glibc")
-                    (commit "cc94b3cfe65523f980359e5f0e93a26196bda1d3")))
-              (sha256
-               (base32
-                "17gsh0kaz0zyvghjmx861mi2p65m9901lngi179x61zm6v2v3xc4"))
-              (file-name (string-append name "-" version))
-              (patches (search-patches "glibc-hurd-extern-inline.patch"))))
-
-    ;; Libc provides <hurd.h>, which includes a bunch of Hurd and Mach headers,
-    ;; so both should be propagated.
-    (propagated-inputs `(("gnumach-headers" ,gnumach-headers)
-                         ("hurd-headers" ,hurd-headers)
-                         ("hurd-minimal" ,hurd-minimal)))
-    (native-inputs
-     `(,@(package-native-inputs glibc)
-       ("patch/libpthread-patch" ,(search-patch "libpthread-glibc-preparation.patch"))
-       ("mig" ,mig)
-       ("perl" ,perl)
-       ("libpthread" ,(origin
-                        (method git-fetch)
-                        (uri (git-reference
-                              (url "git://git.sv.gnu.org/hurd/libpthread")
-                              (commit "0ef7b75c4ba91b6660f0d3d8b51d14d25e3d5bfb")))
-                        (sha256
-                         (base32
-                          "031py18fls15z0wprni33mf762kg6fx8xqijppimhp83yp6ky3l3"))
-                        (file-name "libpthread")))))
-
-    (arguments
-     (substitute-keyword-arguments (package-arguments glibc)
-       ((#:configure-flags original-configure-flags)
-        `(append (list "--host=i686-pc-gnu"
-
-                       ;; nscd fails to build for GNU/Hurd:
-                       ;; <https://lists.gnu.org/archive/html/bug-hurd/2014-07/msg00006.html>.
-                       ;; Disable it.
-                       "--disable-nscd")
-                 (filter (lambda (flag)
-                           (not (or (string-prefix? "--with-headers=" flag)
-                                    (string-prefix? "--enable-kernel=" flag))))
-                         ;; Evaluate 'original-configure-flags' in a
-                         ;; lexical environment that has a dummy
-                         ;; "linux-headers" input, to prevent errors.
-                         (let ((%build-inputs `(("linux-headers" . "@DUMMY@")
-                                                ,@%build-inputs)))
-                           ,original-configure-flags))))
-       ((#:phases phases)
-        `(alist-cons-after
-          'unpack 'prepare-libpthread
-          (lambda* (#:key inputs #:allow-other-keys)
-            (copy-recursively (assoc-ref inputs "libpthread") "libpthread")
-
-            (system* "patch" "--force" "-p1" "-i"
-                     (assoc-ref inputs "patch/libpthread-patch"))
-            #t)
-          ,phases))))
-    (synopsis "The GNU C Library (GNU Hurd variant)")
-    (supported-systems %hurd-systems)))
-
 (define-public glibc/hurd-headers
   (package (inherit glibc/hurd)
     (name "glibc-hurd-headers")
@@ -844,7 +849,7 @@ command.")
        ;; We just pass the flags really needed to build the headers.
        ((#:configure-flags _)
         `(list "--enable-add-ons"
-               "--host=i686-pc-gnu"
+               "--host=i586-pc-gnu"
                "--enable-obsolete-rpc"))
        ((#:phases _)
         '(alist-replace
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index 6a4eba99ef..f47a343ca6 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -62,7 +62,7 @@
   (define (boot fetch)
     (lambda* (url hash-algo hash
               #:optional name #:key system)
-      (fetch url hash-algo hash
+      (fetch url hash-algo hash name
              #:guile %bootstrap-guile
              #:system system)))
 
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index cecc026479..95c80438e9 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -37,15 +37,15 @@
 (define-public check
   (package
     (name "check")
-    (version "0.9.14")
+    (version "0.10.0")
     (source
      (origin
       (method url-fetch)
-      (uri (string-append "mirror://sourceforge/check/check/"
-                          version "/check-" version ".tar.gz"))
+      (uri (string-append "https://github.com/libcheck/check/files/71408/"
+                          "/check-" version ".tar.gz"))
       (sha256
        (base32
-        "02l4g79d81s07hzywcv1knwj5dyrwjiq2pgxaz7kidxi8m364wn2"))))
+        "0lhhywf5nxl3dd0hdakra3aasl590756c9kmvyifb3vgm9k0gxgm"))))
     (build-system gnu-build-system)
     (home-page "https://libcheck.github.io/check/")
     (synopsis "Unit test framework for C")
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index 1cb1e06993..cac059ec37 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -36,7 +37,7 @@
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.3.2")
+    (version "3.5.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://www.cmake.org/files/v"
@@ -44,7 +45,7 @@
                                  "/cmake-" version ".tar.gz"))
              (sha256
               (base32
-               "08pwy9ip9cgwgynhn5vrjw8drw29gijy1rmziq22n65zds6ifnp7"))
+               "1yly38mpk2s08b4rglp9xcw5pxalk0whp9hrcg7j8qpxlkc3mj4j"))
              (patches (search-patches "cmake-fix-tests.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index c52b6e8389..8c82644cc6 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -270,21 +270,24 @@
                 (name "perl-boot0")
                 (replacement #f)
                 (arguments
-                 (substitute-keyword-arguments (package-arguments perl)
-                   ((#:phases phases)
-                    `(modify-phases ,phases
-                       ;; Pthread support is missing in the bootstrap compiler
-                       ;; (broken spec file), so disable it.
-                       (add-before 'configure 'disable-pthreads
-                         (lambda _
-                           (substitute* "Configure"
-                             (("^libswanted=(.*)pthread" _ before)
-                              (string-append "libswanted=" before))))))))))))
-   (package-with-bootstrap-guile
-    (package-with-explicit-inputs perl
-                                  %boot0-inputs
-                                  (current-source-location)
-                                  #:guile %bootstrap-guile))))
+                 ;; At the very least, this must not depend on GCC & co.
+                 (let ((args `(#:disallowed-references
+                               ,(list %bootstrap-binutils))))
+                   (substitute-keyword-arguments (package-arguments perl)
+                     ((#:phases phases)
+                      `(modify-phases ,phases
+                         ;; Pthread support is missing in the bootstrap compiler
+                         ;; (broken spec file), so disable it.
+                         (add-before 'configure 'disable-pthreads
+                           (lambda _
+                             (substitute* "Configure"
+                               (("^libswanted=(.*)pthread" _ before)
+                                (string-append "libswanted=" before)))))))))))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs perl
+                                   %boot0-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
 
 (define (linux-libre-headers-boot0)
   "Return Linux-Libre header files for the bootstrap environment."
@@ -306,7 +309,12 @@
   ;; Also, use %BOOT0-INPUTS to avoid building Perl once more.
   (let ((texinfo (package (inherit texinfo)
                    (native-inputs '())
-                   (inputs `(("perl" ,perl-boot0))))))
+                   (inputs `(("perl" ,perl-boot0)))
+
+                   ;; Some of Texinfo 6.1's tests would fail with "Couldn't
+                   ;; set UTF-8 character type in locale" but we don't have a
+                   ;; UTF-8 locale at this stage, so skip them.
+                   (arguments '(#:tests? #f)))))
     (package-with-bootstrap-guile
      (package-with-explicit-inputs texinfo %boot0-inputs
                                    (current-source-location)
@@ -355,7 +363,7 @@
                                    "export CPATH\n"
                                    all "\n"))))
                ,phases)))))
-     (propagated-inputs `(("linux-headers" ,(linux-libre-headers-boot0))))
+     (propagated-inputs `(("kernel-headers" ,(linux-libre-headers-boot0))))
      (native-inputs
       `(("texinfo" ,texinfo-boot0)
         ("perl" ,perl-boot0)))
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index dd107487fb..0fc61d3927 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -148,14 +148,14 @@ adding and extracting files to/from a tar archive.")
 (define-public gzip
   (package
    (name "gzip")
-   (version "1.6")
+   (version "1.8")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/gzip/gzip-"
-                                version ".tar.gz"))
+                                version ".tar.xz"))
             (sha256
              (base32
-              "0zlgdm4v3dndrbiz7b67mbbj25dpwqbmbzjiycssvrfrcfvq7swp"))))
+              "1lxv3p4iyx7833mlihkn5wfwmz4cys5nybwpz3dfawag8kn6f5zz"))))
    (build-system gnu-build-system)
    (synopsis "General file (de)compression (using lzw)")
    (arguments
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index a9c337e6ed..9d0f86af86 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -167,17 +167,17 @@ may be either a libc package or #f.)"
               `(alist-cons-before
                 'configure 'set-cross-path
                 (lambda* (#:key inputs #:allow-other-keys)
-                  ;; Add the cross Linux headers to CROSS_C_*_INCLUDE_PATH,
-                  ;; and remove them from C_*INCLUDE_PATH.
+                  ;; Add the cross kernel headers to CROSS_CPATH, and remove them
+                  ;; from CPATH.
                   (let ((libc  (assoc-ref inputs "libc"))
-                        (linux (assoc-ref inputs "xlinux-headers")))
+                        (kernel (assoc-ref inputs "xkernel-headers")))
                     (define (cross? x)
                       ;; Return #t if X is a cross-libc or cross Linux.
                       (or (string-prefix? libc x)
-                          (string-prefix? linux x)))
+                          (string-prefix? kernel x)))
                     (let ((cpath (string-append
                                   libc "/include"
-                                  ":" linux "/include")))
+                                  ":" kernel "/include")))
                       (for-each (cut setenv <> cpath)
                                 '("CROSS_C_INCLUDE_PATH"
                                   "CROSS_CPLUS_INCLUDE_PATH"
@@ -255,9 +255,9 @@ GCC that does not target a libc; otherwise, target that libc."
                                (alist-delete "libc" %final-inputs))))
            (if libc
                `(("libc" ,libc)
-                 ("xlinux-headers"                ;the target headers
+                 ("xkernel-headers"                ;the target headers
                   ,@(assoc-ref (package-propagated-inputs libc)
-                               "linux-headers"))
+                               "kernel-headers"))
                  ,@inputs)
                inputs))))
 
@@ -334,10 +334,10 @@ XBINUTILS and the cross tool chain."
                ,flags))
        ((#:phases phases)
         `(alist-cons-before
-          'configure 'set-cross-linux-headers-path
+          'configure 'set-cross-kernel-headers-path
           (lambda* (#:key inputs #:allow-other-keys)
-            (let* ((linux (assoc-ref inputs "linux-headers"))
-                   (cpath (string-append linux "/include")))
+            (let* ((kernel (assoc-ref inputs "kernel-headers"))
+                   (cpath (string-append kernel "/include")))
               (for-each (cut setenv <> cpath)
                         '("CROSS_C_INCLUDE_PATH"
                           "CROSS_CPLUS_INCLUDE_PATH"
@@ -346,9 +346,9 @@ XBINUTILS and the cross tool chain."
               #t))
           ,phases))))
 
-    ;; Shadow the native "linux-headers" because glibc's recipe expects the
-    ;; "linux-headers" input to point to the right thing.
-    (propagated-inputs `(("linux-headers" ,xlinux-headers)))
+    ;; Shadow the native "kernel-headers" because glibc's recipe expects the
+    ;; "kernel-headers" input to point to the right thing.
+    (propagated-inputs `(("kernel-headers" ,xlinux-headers)))
 
     ;; FIXME: 'static-bash' should really be an input, not a native input, but
     ;; to do that will require building an intermediate cross libc.
diff --git a/gnu/packages/cups.scm b/gnu/packages/cups.scm
index 8437170bfa..c055315321 100644
--- a/gnu/packages/cups.scm
+++ b/gnu/packages/cups.scm
@@ -135,20 +135,17 @@ filters for the PDF-centric printing workflow introduced by OpenPrinting.")
        ;; cups-filters package.
        #:tests? #f
        #:phases
-       (alist-cons-before
-        'configure
-        'patch-makedefs
-        (lambda _
-          (substitute* "Makedefs.in"
-            (("INITDIR.*=.*@INITDIR@") "INITDIR = @prefix@/@INITDIR@")
-            (("/bin/sh") (which "sh"))))
-        (alist-cons-before
-         'build
-         'patch-tests
-         (lambda _
-           (substitute* "test/ippserver.c"
-             (("#  else /\\* HAVE_AVAHI \\*/") "#elif defined(HAVE_AVAHI)")))
-         %standard-phases))))
+       (modify-phases %standard-phases
+         (add-before 'configure 'patch-makedefs
+           (lambda _
+             (substitute* "Makedefs.in"
+               (("INITDIR.*=.*@INITDIR@") "INITDIR = @prefix@/@INITDIR@")
+               (("/bin/sh") (which "sh")))))
+         (add-before 'build 'patch-tests
+           (lambda _
+             (substitute* "test/ippserver.c"
+               (("#  else /\\* HAVE_AVAHI \\*/")
+                "#elif defined(HAVE_AVAHI)")))))))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 3458b3ba33..a912166e84 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2012, 2014, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Cyril Roelandt <tipecaml@gmail.com>
 ;;; Copyright © 2014, 2016 David Thompson <davet@gnu.org>
@@ -114,14 +114,14 @@ either single machines or networked clusters.")
 (define-public gdbm
   (package
     (name "gdbm")
-    (version "1.11")
+    (version "1.12")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/gdbm/gdbm-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1hz3jgh3pd4qzp6jy0l8pd8x01g9abw7csnrlnj1a2sxy122z4cd"))))
+                "1smwz4x5qa4js0zf1w3asq6z7mh20zlgwbh2bk5dczw6xrk22yyr"))))
     (arguments `(#:configure-flags '("--enable-libgdbm-compat")))
     (build-system gnu-build-system)
     (home-page "http://www.gnu.org/software/gdbm/")
@@ -136,18 +136,20 @@ and provides interfaces to the traditional file format.")
 (define-public bdb
   (package
     (name "bdb")
-    (version "5.3.21")
+    (version "6.2.23")
     (source (origin
               (method url-fetch)
-              (uri (string-append "http://download.oracle.com/berkeley-db/db-" version
-                                  ".tar.gz"))
-              (sha256 (base32
-                       "1f2g2612lf8djbwbwhxsvmffmf9d7693kh2l20195pqp0f9jmnfx"))))
+              (uri (string-append "http://download.oracle.com/berkeley-db/db-"
+                                  version ".tar.gz"))
+              (sha256
+               (base32
+                "1isxx4jfmnh913jzhp8hhfngbk6dsg46f4kjpvvc56maj64jqqa7"))))
     (build-system gnu-build-system)
     (outputs '("out"                             ; programs, libraries, headers
                "doc"))                           ; 94 MiB of HTML docs
     (arguments
      '(#:tests? #f                            ; no check target available
+       #:disallowed-references ("doc")
        #:phases
        (alist-replace
         'configure
@@ -165,6 +167,9 @@ and provides interfaces to the traditional file format.")
                       (string-append "CONFIG_SHELL=" (which "bash"))
                       (string-append "SHELL=" (which "bash"))
 
+                      ;; Remove 7 MiB of .a files.
+                      "--disable-static"
+
                       ;; The compatibility mode is needed by some packages,
                       ;; notably iproute2.
                       "--enable-compat185"
@@ -464,7 +469,7 @@ for example from a shell script.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.10.0")
+   (version "3.12.2")
    (source (origin
             (method url-fetch)
             ;; TODO: Download from sqlite.org once this bug :
@@ -495,7 +500,7 @@ for example from a shell script.")
                    ))
             (sha256
              (base32
-              "0hhhv6si0pyf5i8bv7a71953m0b4gk6s3j2h09caf7vif0njkk23"))))
+              "1fwss0i2lixv39b27gkqiibdd2syym90wh3qbiaxnfgxk867f07x"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
diff --git a/gnu/packages/ed.scm b/gnu/packages/ed.scm
index 7cd1fcd71d..3668aac19a 100644
--- a/gnu/packages/ed.scm
+++ b/gnu/packages/ed.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,23 +28,24 @@
 (define-public ed
   (package
     (name "ed")
-    (version "1.12")
+    (version "1.13")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/ed/ed-"
                                  version ".tar.lz"))
              (sha256
               (base32
-               "0bw0187a311rci58vznvncsj6pfp8bhs5phrlrqn03sa2i1mfrfj"))))
+               "1ly7i1iw02vbcd0zrx084z577ngxnarffmkm45dg6vndad5carnd"))))
     (build-system gnu-build-system)
     (native-inputs `(("lzip" ,lzip)))
     (arguments
      '(#:configure-flags '("CC=gcc")
-       #:phases (alist-cons-before 'patch-source-shebangs 'patch-test-suite
-                                   (lambda _
-                                     (substitute* "testsuite/check.sh"
-                                       (("/bin/sh") (which "sh"))))
-                                   %standard-phases)))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'patch-source-shebangs 'patch-test-suite
+                     (lambda _
+                       (substitute* "testsuite/check.sh"
+                         (("/bin/sh") (which "sh"))))))))
     (home-page "http://www.gnu.org/software/ed/")
     (synopsis "Line-oriented text editor")
     (description
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 6a79412f7b..a8b5018edb 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -107,14 +107,6 @@
              (substitute* (find-files "." "^Makefile\\.in$")
                (("/bin/pwd")
                 "pwd"))))
-         (add-after 'install 'remove-info.info
-           (lambda* (#:key outputs #:allow-other-keys)
-             ;; Remove 'info.info', which is provided by Texinfo <= 6.0.
-             ;; TODO: Remove this phase when we switch to Texinfo 6.1.
-             (let ((out (assoc-ref outputs "out")))
-               (delete-file
-                (string-append out "/share/info/info.info.gz"))
-               #t)))
          (add-after 'install 'install-site-start
            ;; Copy guix-emacs.el from Guix and add it to site-start.el.  This
            ;; way, Emacs packages provided by Guix and installed in
diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm
index fd3962dbc3..4b8a278610 100644
--- a/gnu/packages/fonts.scm
+++ b/gnu/packages/fonts.scm
@@ -125,7 +125,7 @@ TrueType (TTF) files.")
 (define-public font-dejavu
   (package
     (name "font-dejavu")
-    (version "2.34")
+    (version "2.35")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/dejavu/"
@@ -133,7 +133,7 @@ TrueType (TTF) files.")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0pgb0a3ngamidacmrvasg51ck3gp8gn93w6sf1s8snwzx4x2r9yh"))))
+               "122d35y93r820zhi6d7m9xhakdib10z51v63lnlg67qhhrardmzn"))))
     (build-system trivial-build-system)
     (arguments
      `(#:modules ((guix build utils))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 73ce685d51..38068008ca 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -245,10 +245,10 @@ fonts to/from the WOFF2 format.")
                            (assoc-ref %build-inputs "gs-fonts")
                            "/share/fonts")
 
-            ;; register fonts from user profile
-            ;; TODO: Add /run/current-system/profile/share/fonts and remove
-            ;; the skeleton that works around it from 'default-skeletons'.
-            "--with-add-fonts=~/.guix-profile/share/fonts"
+            ;; Register fonts from user and system profiles.
+            (string-append "--with-add-fonts="
+                           "~/.guix-profile/share/fonts,"
+                           "/run/current-system/profile/share/fonts")
 
             ;; python is not actually needed
             "PYTHON=false")
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index 233a20bc86..1ca8ca0d59 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -153,7 +153,7 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                 ("libelf" ,libelf)
                 ("zlib" ,zlib)))
 
-      ;; GCC is one of the few packages that doesn't ship .info files.
+      ;; GCC < 5 is one of the few packages that doesn't ship .info files.
       (native-inputs `(("texinfo" ,texinfo)))
 
       (arguments
@@ -352,7 +352,9 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"))
-              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
+              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))
+    ;; GCC 5 ships with .info files, so no need for Texinfo.
+    (native-inputs '())))
 
 (define-public gcc-6
   (package
diff --git a/gnu/packages/gettext.scm b/gnu/packages/gettext.scm
index 34338f936b..bf38543178 100644
--- a/gnu/packages/gettext.scm
+++ b/gnu/packages/gettext.scm
@@ -41,14 +41,14 @@
 (define-public gnu-gettext
   (package
     (name "gettext")
-    (version "0.19.7")
+    (version "0.19.8")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/gettext/gettext-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "0gy2b2aydj8r0sapadnjw8cmb8j2rynj28d5qs1mfa800njd51jk"))))
+               "13ylc6n3hsk919c7xl0yyibc3pfddzb53avdykn4hmk8g6yzd91x"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of HTML
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 0a65813f97..ae00eea1dc 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2013, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -156,7 +156,8 @@ printing, and psresize, for adjusting page sizes.")
         ("python" ,python-wrapper)
         ("tcl" ,tcl)))
    (arguments
-    `(#:phases
+    `(#:disallowed-references ("doc")
+      #:phases
       (modify-phases %standard-phases
         (add-after 'configure 'patch-config-files
                    (lambda _
@@ -172,12 +173,15 @@ printing, and psresize, for adjusting page sizes.")
                      (substitute* "base/gscdef.c"
                        (("GS_DOCDIR")
                         "\"~/.guix-profile/share/doc/ghostscript\""))))
-        (add-after 'build 'build-so
-                   (lambda _
-                     (zero? (system* "make" "so"))))
-        (add-after 'install 'install-so
-                   (lambda _
-                     (zero? (system* "make" "install-so")))))))
+        (replace 'build
+          (lambda _
+            ;; Build 'libgs.so', but don't build the statically-linked 'gs'
+            ;; binary (saves 18 MiB).
+            (zero? (system* "make" "so" "-j"
+                            (number->string (parallel-job-count))))))
+        (replace 'install
+          (lambda _
+            (zero? (system* "make" "soinstall")))))))
    (synopsis "PostScript and PDF interpreter")
    (description
     "Ghostscript is an interpreter for the PostScript language and the PDF
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index e6583e5e6f..dd9519bf84 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
+;;; Copyright © 2016 Nils Gillmann <ng0@libertad.pw>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -49,7 +50,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.21")
+    (version "1.22")
     (source
      (origin
       (method url-fetch)
@@ -57,7 +58,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0kdq2cbnk84fr4jqcv689rlxpbyl6bda2cn6y3ll19v3mlydpnxp"))))
+        "0ywxwswizmkyciy480kzczxn6nhbgzf3z8my4nk43nvv67k4x87j"))))
     (build-system gnu-build-system)
     (home-page "http://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -73,14 +74,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.6.5")
+    (version "1.7.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl"))))
+               "14pspxwrqcgfklw3dgmywbxqwdzcym7fznfrqh9rk4vl8jkpxrmh"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 6f00edb06b..7c0254e3b6 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -162,7 +162,8 @@ without requiring the source code to be rewritten.")
    (outputs '("out" "debug"))
 
    (arguments
-    `(#:phases (alist-cons-before
+    `(#:configure-flags '("--disable-static")     ;saves 3MiB
+      #:phases (alist-cons-before
                 'configure 'pre-configure
                 (lambda* (#:key inputs #:allow-other-keys)
                   ;; Tell (ice-9 popen) the file name of Bash.
diff --git a/gnu/packages/hurd.scm b/gnu/packages/hurd.scm
index 2b2e162107..a4c0296b04 100644
--- a/gnu/packages/hurd.scm
+++ b/gnu/packages/hurd.scm
@@ -21,12 +21,12 @@
   #:use-module (guix download)
   #:use-module (guix packages)
   #:use-module (gnu packages)
+  #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages perl)
-  #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
   #:use-module (guix git-download))
 
@@ -55,7 +55,11 @@
 
       ;; GNU Mach supports only IA32 currently, so cheat so that we can at
       ;; least install its headers.
-      #:configure-flags '("--build=i686-pc-gnu")
+      ,@(if (%current-target-system)
+            '()
+            ;; See <http://lists.gnu.org/archive/html/bug-hurd/2015-06/msg00042.html>
+            ;; <http://lists.gnu.org/archive/html/guix-devel/2015-06/msg00716.html>
+            '(#:configure-flags '("--build=i586-pc-gnu")))
 
       #:tests? #f))
     (home-page "https://www.gnu.org/software/hurd/microkernel/mach/gnumach.html")
@@ -108,11 +112,7 @@ communication.")
                 "1pbc4aqgzxvkgivw80ghp3w755cl0fwxmg357vq7chimj64jk78d"))))
     (build-system gnu-build-system)
     (native-inputs
-     `(;; Autoconf shouldn't be necessary but there seems to be a bug in the
-       ;; build system triggering its use.
-       ("autoconf" ,autoconf)
-
-       ("mig" ,mig)))
+     `(("mig" ,mig)))
     (arguments
      `(#:phases (alist-replace
                  'install
@@ -122,10 +122,19 @@ communication.")
 
        #:configure-flags '(;; Pretend we're on GNU/Hurd; 'configure' wants
                            ;; that.
-                           "--build=i686-pc-gnu"
+                           ,@(if (%current-target-system)
+                                 '()
+                                 '("--host=i586-pc-gnu"))
 
                            ;; Reduce set of dependencies.
-                           "--without-parted")
+                           "--without-parted"
+                           "--disable-ncursesw"
+                           "--disable-test"
+                           "--without-libbz2"
+                           "--without-libz"
+                           ;; Skip the clnt_create check because it expects
+                           ;; a working glibc causing a circular dependency.
+                           "ac_cv_search_clnt_create=no")
 
        #:tests? #f))
     (home-page "http://www.gnu.org/software/hurd/hurd.html")
@@ -140,46 +149,28 @@ Library and other user programs.")
     (name "hurd-minimal")
     (inputs `(("glibc-hurd-headers" ,glibc/hurd-headers)))
     (native-inputs
-     `(("autoconf" ,(autoconf-wrapper))
-       ("mig" ,mig)))
-
+     `(("mig" ,mig)))
     (arguments
-     `(#:phases (alist-replace
-                 'install
-                 (lambda* (#:key outputs #:allow-other-keys)
-                   (let ((out (assoc-ref outputs "out")))
-                     ;; We need to copy libihash.a to the output directory manually,
-                     ;; since there is no target for that in the makefile.
-                     (mkdir-p (string-append out "/include"))
-                     (copy-file "libihash/ihash.h"
-                                (string-append out "/include/ihash.h"))
-                     (mkdir-p (string-append out "/lib"))
-                     (copy-file "libihash/libihash.a"
-                                (string-append out "/lib/libihash.a"))
-                     #t))
-                 (alist-replace
-                  'build
-                  (lambda _
-                    (zero? (system* "make" "-Clibihash" "libihash.a")))
-                  (alist-cons-before
-                   'configure 'bootstrap
-                   (lambda _
-                     (zero? (system* "autoreconf" "-vfi")))
-                   %standard-phases)))
-       #:configure-flags '(;; Pretend we're on GNU/Hurd; 'configure' wants
-                           ;; that.
-                           "--host=i686-pc-gnu"
-
-                           ;; Reduce set of dependencies.
-                           "--disable-ncursesw"
-                           "--disable-test"
-                           "--without-libbz2"
-                           "--without-libz"
-                           "--without-parted"
-                           ;; Skip the clnt_create check because it expects
-                           ;; a working glibc causing a circular dependency.
-                           "ac_cv_search_clnt_create=no")
-       #:tests? #f))
+     (substitute-keyword-arguments (package-arguments hurd-headers)
+       ((#:phases _)
+        '(alist-replace
+          'install
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out")))
+              ;; We need to copy libihash.a to the output directory manually,
+              ;; since there is no target for that in the makefile.
+              (mkdir-p (string-append out "/include"))
+              (copy-file "libihash/ihash.h"
+                         (string-append out "/include/ihash.h"))
+              (mkdir-p (string-append out "/lib"))
+              (copy-file "libihash/libihash.a"
+                         (string-append out "/lib/libihash.a"))
+              #t))
+          (alist-replace
+           'build
+           (lambda _
+             (zero? (system* "make" "-Clibihash" "libihash.a")))
+           %standard-phases)))))
     (home-page "http://www.gnu.org/software/hurd/hurd.html")
     (synopsis "GNU Hurd libraries")
     (description
diff --git a/gnu/packages/ld-wrapper.in b/gnu/packages/ld-wrapper.in
index c92ed1dcc7..ebfd8332c4 100644
--- a/gnu/packages/ld-wrapper.in
+++ b/gnu/packages/ld-wrapper.in
@@ -6,12 +6,16 @@
 # the shebang line in Linux.
 # Use `load-compiled' because `load' (and `-l') doesn't otherwise load our
 # .go file (see <http://bugs.gnu.org/12519>).
+# Unset 'GUILE_LOAD_COMPILED_PATH' to make sure we do not stumble upon
+# incompatible .go files.  See
+# <https://lists.gnu.org/archive/html/guile-devel/2016-03/msg00000.html>.
 
+unset GUILE_LOAD_COMPILED_PATH
 main="(@ (gnu build-support ld-wrapper) ld-wrapper)"
 exec @GUILE@ -c "(load-compiled \"@SELF@.go\") (apply $main (cdr (command-line)))" "$@"
 !#
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index b6fa7c0545..3aa3adea72 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -105,7 +105,7 @@
          version "-gnu.tar.xz")))
 
 (define-public linux-libre-headers
-  (let* ((version "3.14.37")
+  (let* ((version "4.1.18")
          (build-phase
           (lambda (arch)
             `(lambda _
@@ -143,7 +143,7 @@
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "1blxr2bsvfqi9khj4cpspv434bmx252zak2wsbi2mgl60zh77gza"))))
+               "1bddh2rg645lavhjkk9z75vflba5y0g73z2fjwgbfrj5jb44x9i7"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -468,12 +468,11 @@ providing the system administrator with some help in common tasks.")
                     (("build_kill=yes") "build_kill=no"))
                   #t))))
     (build-system gnu-build-system)
+    (outputs '("out"
+               "static"))      ; >2 MiB of static .a libraries
     (arguments
      `(#:configure-flags (list "--disable-use-tty-group"
 
-                               ;; Do not build .a files to save 2 MiB.
-                               "--disable-static"
-
                                ;; Install completions where our
                                ;; bash-completion package expects them.
                                (string-append "--with-bashcompletiondir="
@@ -498,6 +497,19 @@ providing the system administrator with some help in common tasks.")
                        (substitute* "tests/ts/misc/mcookie"
                          (("/etc/services")
                           (string-append net "/etc/services")))
+                       #t)))
+                  (add-after
+                   'install 'move-static-libraries
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out    (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (mkdir-p (string-append static "/lib"))
+                       (with-directory-excursion out
+                         (for-each (lambda (file)
+                                     (rename-file file
+                                                  (string-append static "/"
+                                                                 file)))
+                                   (find-files "lib" "\\.a$")))
                        #t))))))
     (inputs `(("zlib" ,zlib)
               ("ncurses" ,ncurses)))
@@ -526,7 +538,9 @@ block devices, UUIDs, TTYs, and many other tools.")
                                   "procps-ng-" version ".tar.xz"))
               (sha256
                (base32
-                "1va4n0mpsq327ca9dqp4hnrpgs6821rp0f2m0jyc1bfjl9lk2jg9"))))
+                "1va4n0mpsq327ca9dqp4hnrpgs6821rp0f2m0jyc1bfjl9lk2jg9"))
+              (patches
+               (list (search-patch "procps-non-linux.patch")))))
     (build-system gnu-build-system)
     (arguments
      '(#:modules ((guix build utils)
@@ -1562,7 +1576,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.")
 (define-public kmod
   (package
     (name "kmod")
-    (version "17")
+    (version "22")
     (source (origin
               (method url-fetch)
               (uri
@@ -1570,7 +1584,7 @@ to use Linux' inotify mechanism, which allows file accesses to be monitored.")
                               "kmod-" version ".tar.xz"))
               (sha256
                (base32
-                "1yid3a9b64a60ybj66fk2ysrq5klnl0ijl4g624cl16y8404g9rv"))
+                "10lzfkmnpq6a43a3gkx7x633njh216w0bjwz31rv8a1jlgg1sfxs"))
               (patches (search-patches "kmod-module-directory.patch"))))
     (build-system gnu-build-system)
     (native-inputs
@@ -2558,12 +2572,26 @@ and copy/paste text in the console and in xterm.")
                (base32
                 "1lzbw275xgv69v4z8hmsf3jnip38116hxhkpv0madk8wv049drz6"))))
     (build-system gnu-build-system)
+    (outputs '("out"
+               "static"))      ; static versions of binaries in "out" (~16MiB!)
     (arguments
-     '(#:test-target "test"
+     '(#:phases (modify-phases %standard-phases
+                 (add-after 'build 'build-static
+                   (lambda _ (zero? (system* "make" "static"))))
+                 (add-after 'install 'install-static
+                   (let ((staticbin (string-append (assoc-ref %outputs "static")
+                                                  "/bin")))
+                     (lambda _
+                       (zero? (system* "make"
+                                       (string-append "bindir=" staticbin)
+                                       "install-static"))))))
+       #:test-target "test"
        #:parallel-tests? #f)) ; tests fail when run in parallel
     (inputs `(("e2fsprogs" ,e2fsprogs)
               ("libblkid" ,util-linux)
+              ("libblkid:static" ,util-linux "static")
               ("libuuid" ,util-linux)
+              ("libuuid:static" ,util-linux "static")
               ("zlib" ,zlib)
               ("lzo" ,lzo)))
     (native-inputs `(("pkg-config" ,pkg-config)
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index b4563277aa..a1993bc3a5 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2014 Sou Bunnbu <iyzsong@gmail.com>
@@ -1168,8 +1168,7 @@ deliver it in various ways.")
     ;; filesystem are performed during 'make install'.  However, these
     ;; are performed before the actual build process.
     (build-system gnu-build-system)
-    (inputs `(("glibc" ,glibc)
-              ("exim" ,exim)))
+    (inputs `(("exim" ,exim)))
     (home-page "http://www.procmail.org/")
     (synopsis "Versatile mail delivery agent (MDA)")
     (description "Procmail is a mail delivery agent (MDA) featuring support
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index 85dfaa6b6f..def9c23b17 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -344,7 +344,7 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                   (libdir (string-append out "/lib"))
                   (incdir (string-append out "/include"))
                   (libc   (assoc-ref %build-inputs "libc"))
-                  (linux  (assoc-ref %build-inputs "linux-headers")))
+                  (linux  (assoc-ref %build-inputs "kernel-headers")))
              (mkdir-p libdir)
              (for-each (lambda (file)
                          (let ((target (string-append libdir "/"
@@ -379,7 +379,7 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                                 (parameterize ((%current-target-system #f))
                                   (cross-libc target)))
                                glibc)))
-                ("linux-headers" ,linux-libre-headers)))
+                ("kernel-headers" ,linux-libre-headers)))
 
       ;; Only one output.
       (outputs '("out")))))
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index 99243235ad..46540be5c4 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -80,13 +80,13 @@ cryptography and computational algebra.")
 (define-public mpfr
   (package
    (name "mpfr")
-   (version "3.1.3")
+   (version "3.1.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/mpfr/mpfr-" version
                                 ".tar.xz"))
             (sha256 (base32
-                     "05jaa5z78lvrayld09nyr0v27c1m5dm9l7kr85v2bj4jv65s0db8"))))
+                     "1x8pcnpn1vxfzfsr0js07rwhwyq27fmdzcfjpzi5773ldnqi653n"))))
    (build-system gnu-build-system)
    (outputs '("out" "debug"))
    (propagated-inputs `(("gmp" ,gmp)))            ; <mpfr.h> refers to <gmp.h>
diff --git a/gnu/packages/netpbm.scm b/gnu/packages/netpbm.scm
index 475635e7e1..e2d409abe2 100644
--- a/gnu/packages/netpbm.scm
+++ b/gnu/packages/netpbm.scm
@@ -27,6 +27,7 @@
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages xml)
+  #:use-module (gnu packages xorg)
   #:use-module (guix build-system gnu)
   #:use-module ((guix licenses) #:select (gpl2))
   #:use-module (guix packages)
@@ -91,6 +92,7 @@
              ("libpng" ,libpng)
              ("libtiff" ,libtiff)
              ("libxml2" ,libxml2)
+             ("xorg-rgb" ,xorg-rgb)
              ("zlib" ,zlib)))
    (native-inputs
      `(("flex" ,flex)
@@ -99,50 +101,55 @@
        ("python" ,python-wrapper)))
    (arguments
     `(#:phases
-      (alist-replace
-       'configure
-       (lambda _
-        (copy-file "config.mk.in" "config.mk")
-        (chmod "config.mk" #o664)
-        (let ((f (open-file "config.mk" "a")))
-         (display "CC=gcc\n" f)
-         (display "CFLAGS_SHLIB += -fPIC\n" f)
-         (display "TIFFLIB = libtiff.so\n" f)
-         (display "JPEGLIB = libjpeg.so\n" f)
-         (display "ZLIB = libz.so\n" f)
-         (display (string-append "LDFLAGS += -Wl,-rpath=" %output "/lib") f)
-         (close-port f)))
-      (alist-cons-before
-       'check 'setup-check
-       (lambda _
-         ;; install temporarily into /tmp/netpbm
-         (system* "make" "package")
-         ;; remove test requiring X
-         (substitute* "test/all-in-place.test" (("pamx") ""))
-         ;; do not worry about non-existing file
-         (substitute* "test/all-in-place.test" (("^rm ") "rm -f "))
-         ;; remove four tests that fail for unknown reasons
-         (substitute* "test/Test-Order"
-           (("all-in-place.test") "")
-           (("pnmpsnr.test") "")
-           (("pnmremap1.test") "")
-           (("gif-roundtrip.test") "")))
-      (alist-replace
-       'install
-       (lambda* (#:key outputs make-flags #:allow-other-keys)
-        (let ((out (assoc-ref outputs "out")))
-         (apply system* "make" "package"
-                        (string-append "pkgdir=" out) make-flags)
-         ;; copy static library
-         (copy-file (string-append out "/link/libnetpbm.a")
-                    (string-append out "/lib/libnetpbm.a"))
-         ;; remove superfluous folders and files
-         (system* "rm" "-r" (string-append out "/link"))
-         (system* "rm" "-r" (string-append out "/misc"))
-         (with-directory-excursion out
-           (for-each delete-file
-                     '("config_template" "pkginfo" "README" "VERSION")))))
-      %standard-phases)))))
+      (modify-phases %standard-phases
+       (replace 'configure
+         (lambda* (#:key inputs outputs #:allow-other-keys)
+           (copy-file "config.mk.in" "config.mk")
+           (chmod "config.mk" #o664)
+           (let ((f (open-file "config.mk" "a")))
+             (display "CC=gcc\n" f)
+             (display "CFLAGS_SHLIB += -fPIC\n" f)
+             (display "TIFFLIB = libtiff.so\n" f)
+             (display "JPEGLIB = libjpeg.so\n" f)
+             (display "ZLIB = libz.so\n" f)
+             (display (string-append "LDFLAGS += -Wl,-rpath=" %output "/lib") f)
+             (close-port f))
+           (let ((rgb (string-append (assoc-ref inputs "xorg-rgb")
+                                     "/share/X11/rgb.txt")))
+             (substitute* "pm_config.in.h"
+               (("/usr/share/X11/rgb.txt") rgb)))
+           #t))
+       (add-before 'check 'setup-check
+         (lambda _
+           ;; install temporarily into /tmp/netpbm
+           (system* "make" "package")
+           ;; remove test requiring X
+           (substitute* "test/all-in-place.test" (("pamx") ""))
+           ;; do not worry about non-existing file
+           (substitute* "test/all-in-place.test" (("^rm ") "rm -f "))
+           ;; remove four tests that fail for unknown reasons
+           (substitute* "test/Test-Order"
+             (("all-in-place.test") "")
+             (("pnmpsnr.test") "")
+             (("pnmremap1.test") "")
+             (("gif-roundtrip.test") ""))
+           #t))
+       (replace 'install
+         (lambda* (#:key outputs make-flags #:allow-other-keys)
+           (let ((out (assoc-ref outputs "out")))
+             (apply system* "make" "package"
+                    (string-append "pkgdir=" out) make-flags)
+             ;; copy static library
+             (copy-file (string-append out "/link/libnetpbm.a")
+                        (string-append out "/lib/libnetpbm.a"))
+             ;; remove superfluous folders and files
+             (system* "rm" "-r" (string-append out "/link"))
+             (system* "rm" "-r" (string-append out "/misc"))
+             (with-directory-excursion out
+               (for-each delete-file
+                         '("config_template" "pkginfo" "README"
+                           "VERSION")))
+             #t))))))
    (synopsis "Toolkit for manipulation of images")
    (description
     "Netpbm is a toolkit for the manipulation of graphic images, including
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 429078fc92..adb6f36fe8 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -34,9 +34,8 @@
 
 (define-public openldap
   (package
-   (replacement openldap-2.4.44)
    (name "openldap")
-   (version "2.4.42")
+   (version "2.4.44")
    (source (origin
             (method url-fetch)
 
@@ -53,7 +52,7 @@
                         "openldap-release/openldap-" version ".tgz")))
             (sha256
              (base32
-              "0qwfpb5ipp2l76v11arghq5mr0sjc6xhjfg8a0kgsaw5qpib1dzf"))))
+              "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp"))))
    (build-system gnu-build-system)
    (inputs `(("bdb" ,bdb)
              ("openssl" ,openssl)
@@ -78,24 +77,3 @@
     "OpenLDAP is a free implementation of the Lightweight Directory Access Protocol.")
    (license openldap2.8)
    (home-page "http://www.openldap.org/")))
-
-(define openldap-2.4.44
-  (package
-    (inherit openldap)
-    (replacement #f)
-    (source
-      (let ((version "2.4.44"))
-        (origin
-          (method url-fetch)
-          (uri (list (string-append
-                      "ftp://mirror.switch.ch/mirror/OpenLDAP/"
-                      "openldap-release/openldap-" version ".tgz")
-                     (string-append
-                      "ftp://ftp.OpenLDAP.org/pub/OpenLDAP/"
-                      "openldap-release/openldap-" version ".tgz")
-                     (string-append
-                      "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
-                      "openldap-release/openldap-" version ".tgz")))
-          (sha256
-           (base32
-            "0044p20hx07fwgw2mbwj1fkx04615hhs1qyx4mawj2bhqvrnppnp")))))))
diff --git a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
index af5e3bcc3e..fc8d6291f5 100644
--- a/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
+++ b/gnu/packages/patches/expat-CVE-2015-1283-refix.patch
@@ -1,42 +1,39 @@
-Update previous fix for CVE-2015-1283 to not rely on undefined behavior.
+Follow-up upstream fix for CVE-2015-1283 to not rely on undefined
+behavior.
 
-Copied from Debian, as found in Debian package version 2.1.0-6+deb8u2.
+Adapted from a patch from Debian (found in Debian package version
+2.1.0-6+deb8u2) to apply to upstream code:
 
 https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u2/debian/patches/CVE-2015-1283-refix.patch/
 
-From 29a11774d8ebbafe8418b4a5ffb4cc1160b194a1 Mon Sep 17 00:00:00 2001
-From: Pascal Cuoq <cuoq@trust-in-soft.com>
-Date: Sun, 15 May 2016 09:05:46 +0200
-Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix.
-
 ---
- expat/lib/xmlparse.c | 6 ++++--
+ lib/xmlparse.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 13e080d..cdb12ef 100644
+index 0f6f4cd..5c70c17 100644
 --- a/lib/xmlparse.c
 +++ b/lib/xmlparse.c
-@@ -1695,7 +1695,8 @@ XML_GetBuffer(XML_Parser parser, int len
+@@ -1727,7 +1727,8 @@ XML_GetBuffer(XML_Parser parser, int len)
    }
  
    if (len > bufferLim - bufferEnd) {
 -    int neededSize = len + (int)(bufferEnd - bufferPtr);
 +    /* Do not invoke signed arithmetic overflow: */
 +    int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr));
- /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
      if (neededSize < 0) {
        errorCode = XML_ERROR_NO_MEMORY;
-@@ -1729,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len
+       return NULL;
+@@ -1759,7 +1760,8 @@ XML_GetBuffer(XML_Parser parser, int len)
        if (bufferSize == 0)
          bufferSize = INIT_BUFFER_SIZE;
        do {
 -        bufferSize *= 2;
 +        /* Do not invoke signed arithmetic overflow: */
 +        bufferSize = (int) (2U * (unsigned) bufferSize);
- /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
        } while (bufferSize < neededSize && bufferSize > 0);
- /* END MOZILLA CHANGE */
+       if (bufferSize <= 0) {
+         errorCode = XML_ERROR_NO_MEMORY;
 -- 
-2.8.2
+2.8.3
 
diff --git a/gnu/packages/patches/expat-CVE-2015-1283.patch b/gnu/packages/patches/expat-CVE-2015-1283.patch
deleted file mode 100644
index f9065bea16..0000000000
--- a/gnu/packages/patches/expat-CVE-2015-1283.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-Copied from Debian.
-
-Description: fix multiple integer overflows in the XML_GetBuffer function
- Multiple integer overflows in the XML_GetBuffer function in Expat through
- 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products,
- allow remote attackers to cause a denial of service (heap-based buffer
- overflow) or possibly have unspecified other impact via crafted XML data,
- a related issue to CVE-2015-2716.
-Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
-Author: Eric Rahm <erahm@mozilla.com>
-Forwarded: not-needed
-Last-Update: 2015-07-24
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l
-   XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
-   positionPtr = bufferPtr;
-   return result;
- }
- 
- void * XMLCALL
- XML_GetBuffer(XML_Parser parser, int len)
- {
-+/* BEGIN MOZILLA CHANGE (sanity check len) */
-+  if (len < 0) {
-+    errorCode = XML_ERROR_NO_MEMORY;
-+    return NULL;
-+  }
-+/* END MOZILLA CHANGE */
-   switch (ps_parsing) {
-   case XML_SUSPENDED:
-     errorCode = XML_ERROR_SUSPENDED;
-     return NULL;
-   case XML_FINISHED:
-     errorCode = XML_ERROR_FINISHED;
-     return NULL;
-   default: ;
-   }
- 
-   if (len > bufferLim - bufferEnd) {
--    /* FIXME avoid integer overflow */
-     int neededSize = len + (int)(bufferEnd - bufferPtr);
-+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
-+    if (neededSize < 0) {
-+      errorCode = XML_ERROR_NO_MEMORY;
-+      return NULL;
-+    }
-+/* END MOZILLA CHANGE */
- #ifdef XML_CONTEXT_BYTES
-     int keep = (int)(bufferPtr - buffer);
- 
-     if (keep > XML_CONTEXT_BYTES)
-       keep = XML_CONTEXT_BYTES;
-     neededSize += keep;
- #endif  /* defined XML_CONTEXT_BYTES */
-     if (neededSize  <= bufferLim - buffer) {
-@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len
-     }
-     else {
-       char *newBuf;
-       int bufferSize = (int)(bufferLim - bufferPtr);
-       if (bufferSize == 0)
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
-         bufferSize *= 2;
--      } while (bufferSize < neededSize);
-+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
-+      } while (bufferSize < neededSize && bufferSize > 0);
-+/* END MOZILLA CHANGE */
-+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
-+      if (bufferSize <= 0) {
-+        errorCode = XML_ERROR_NO_MEMORY;
-+        return NULL;
-+      }
-+/* END MOZILLA CHANGE */
-       newBuf = (char *)MALLOC(bufferSize);
-       if (newBuf == 0) {
-         errorCode = XML_ERROR_NO_MEMORY;
-         return NULL;
-       }
-       bufferLim = newBuf + bufferSize;
- #ifdef XML_CONTEXT_BYTES
-       if (bufferPtr) {
-
-
-
-
diff --git a/gnu/packages/patches/glibc-CVE-2015-7547.patch b/gnu/packages/patches/glibc-CVE-2015-7547.patch
deleted file mode 100644
index 9a0909af74..0000000000
--- a/gnu/packages/patches/glibc-CVE-2015-7547.patch
+++ /dev/null
@@ -1,559 +0,0 @@
-Copied from Fedora:
-http://pkgs.fedoraproject.org/cgit/rpms/glibc.git/tree/glibc-CVE-2015-7547.patch?h=f23&id=9f1734eb6ce3257b788d6e9203572e8204c6c584
-
-Adapted to apply cleanly to glibc-2.22.
-
-Index: b/resolv/nss_dns/dns-host.c
-===================================================================
---- a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an
-   int h_namelen = 0;
- 
-   if (ancount == 0)
--    return NSS_STATUS_NOTFOUND;
-+    {
-+      *h_errnop = HOST_NOT_FOUND;
-+      return NSS_STATUS_NOTFOUND;
-+    }
- 
-   while (ancount-- > 0 && cp < end_of_message && had_error == 0)
-     {
-@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an
-   /* Special case here: if the resolver sent a result but it only
-      contains a CNAME while we are looking for a T_A or T_AAAA record,
-      we fail with NOTFOUND instead of TRYAGAIN.  */
--  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-+  if (canon != NULL)
-+    {
-+      *h_errnop = HOST_NOT_FOUND;
-+      return NSS_STATUS_NOTFOUND;
-+    }
-+
-+  *h_errnop = NETDB_INTERNAL;
-+  return NSS_STATUS_TRYAGAIN;
- }
- 
- 
-@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1,
- 
-   enum nss_status status = NSS_STATUS_NOTFOUND;
- 
-+  /* Combining the NSS status of two distinct queries requires some
-+     compromise and attention to symmetry (A or AAAA queries can be
-+     returned in any order).  What follows is a breakdown of how this
-+     code is expected to work and why. We discuss only SUCCESS,
-+     TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
-+     that apply (though RETURN and MERGE exist).  We make a distinction
-+     between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
-+     A recoverable TRYAGAIN is almost always due to buffer size issues
-+     and returns ERANGE in errno and the caller is expected to retry
-+     with a larger buffer.
-+
-+     Lastly, you may be tempted to make significant changes to the
-+     conditions in this code to bring about symmetry between responses.
-+     Please don't change anything without due consideration for
-+     expected application behaviour.  Some of the synthesized responses
-+     aren't very well thought out and sometimes appear to imply that
-+     IPv4 responses are always answer 1, and IPv6 responses are always
-+     answer 2, but that's not true (see the implemetnation of send_dg
-+     and send_vc to see response can arrive in any order, particlarly
-+     for UDP). However, we expect it holds roughly enough of the time
-+     that this code works, but certainly needs to be fixed to make this
-+     a more robust implementation.
-+
-+     ----------------------------------------------
-+     | Answer 1 Status /   | Synthesized | Reason |
-+     | Answer 2 Status     | Status      |        |
-+     |--------------------------------------------|
-+     | SUCCESS/SUCCESS     | SUCCESS     | [1]    |
-+     | SUCCESS/TRYAGAIN    | TRYAGAIN    | [5]    |
-+     | SUCCESS/TRYAGAIN'   | SUCCESS     | [1]    |
-+     | SUCCESS/NOTFOUND    | SUCCESS     | [1]    |
-+     | SUCCESS/UNAVAIL     | SUCCESS     | [1]    |
-+     | TRYAGAIN/SUCCESS    | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/TRYAGAIN   | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/TRYAGAIN'  | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/NOTFOUND   | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/UNAVAIL    | TRYAGAIN    | [2]    |
-+     | TRYAGAIN'/SUCCESS   | SUCCESS     | [3]    |
-+     | TRYAGAIN'/TRYAGAIN  | TRYAGAIN    | [3]    |
-+     | TRYAGAIN'/TRYAGAIN' | TRYAGAIN'   | [3]    |
-+     | TRYAGAIN'/NOTFOUND  | TRYAGAIN'   | [3]    |
-+     | TRYAGAIN'/UNAVAIL   | UNAVAIL     | [3]    |
-+     | NOTFOUND/SUCCESS    | SUCCESS     | [3]    |
-+     | NOTFOUND/TRYAGAIN   | TRYAGAIN    | [3]    |
-+     | NOTFOUND/TRYAGAIN'  | TRYAGAIN'   | [3]    |
-+     | NOTFOUND/NOTFOUND   | NOTFOUND    | [3]    |
-+     | NOTFOUND/UNAVAIL    | UNAVAIL     | [3]    |
-+     | UNAVAIL/SUCCESS     | UNAVAIL     | [4]    |
-+     | UNAVAIL/TRYAGAIN    | UNAVAIL     | [4]    |
-+     | UNAVAIL/TRYAGAIN'   | UNAVAIL     | [4]    |
-+     | UNAVAIL/NOTFOUND    | UNAVAIL     | [4]    |
-+     | UNAVAIL/UNAVAIL     | UNAVAIL     | [4]    |
-+     ----------------------------------------------
-+
-+     [1] If the first response is a success we return success.
-+         This ignores the state of the second answer and in fact
-+         incorrectly sets errno and h_errno to that of the second
-+	 answer.  However because the response is a success we ignore
-+	 *errnop and *h_errnop (though that means you touched errno on
-+         success).  We are being conservative here and returning the
-+         likely IPv4 response in the first answer as a success.
-+
-+     [2] If the first response is a recoverable TRYAGAIN we return
-+	 that instead of looking at the second response.  The
-+	 expectation here is that we have failed to get an IPv4 response
-+	 and should retry both queries.
-+
-+     [3] If the first response was not a SUCCESS and the second
-+	 response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
-+	 or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
-+	 result from the second response, otherwise the first responses
-+	 status is used.  Again we have some odd side-effects when the
-+	 second response is NOTFOUND because we overwrite *errnop and
-+	 *h_errnop that means that a first answer of NOTFOUND might see
-+	 its *errnop and *h_errnop values altered.  Whether it matters
-+	 in practice that a first response NOTFOUND has the wrong
-+	 *errnop and *h_errnop is undecided.
-+
-+     [4] If the first response is UNAVAIL we return that instead of
-+	 looking at the second response.  The expectation here is that
-+	 it will have failed similarly e.g. configuration failure.
-+
-+     [5] Testing this code is complicated by the fact that truncated
-+	 second response buffers might be returned as SUCCESS if the
-+	 first answer is a SUCCESS.  To fix this we add symmetry to
-+	 TRYAGAIN with the second response.  If the second response
-+	 is a recoverable error we now return TRYAGIN even if the first
-+	 response was SUCCESS.  */
-+
-   if (anslen1 > 0)
-     status = gaih_getanswer_slice(answer1, anslen1, qname,
- 				  &pat, &buffer, &buflen,
- 				  errnop, h_errnop, ttlp,
- 				  &first);
-+
-   if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
-        || (status == NSS_STATUS_TRYAGAIN
- 	   /* We want to look at the second answer in case of an
-@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1,
- 						     &pat, &buffer, &buflen,
- 						     errnop, h_errnop, ttlp,
- 						     &first);
-+      /* Use the second response status in some cases.  */
-       if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
- 	status = status2;
-+      /* Do not return a truncated second response (unless it was
-+         unavoidable e.g. unrecoverable TRYAGAIN).  */
-+      if (status == NSS_STATUS_SUCCESS
-+	  && (status2 == NSS_STATUS_TRYAGAIN
-+	      && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
-+	status = NSS_STATUS_TRYAGAIN;
-     }
- 
-   return status;
-Index: b/resolv/res_query.c
-===================================================================
---- a/resolv/res_query.c
-+++ b/resolv/res_query.c
-@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
- 		  {
- 		    free (*answerp2);
- 		    *answerp2 = NULL;
-+		    *nanswerp2 = 0;
- 		    *answerp2_malloced = 0;
- 		  }
- 	}
-@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
- 			  {
- 			    free (*answerp2);
- 			    *answerp2 = NULL;
-+			    *nanswerp2 = 0;
- 			    *answerp2_malloced = 0;
- 			  }
- 
-@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
- 	  {
- 	    free (*answerp2);
- 	    *answerp2 = NULL;
-+	    *nanswerp2 = 0;
- 	    *answerp2_malloced = 0;
- 	  }
- 	if (saved_herrno != -1)
-Index: b/resolv/res_send.c
-===================================================================
---- a/resolv/res_send.c
-+++ b/resolv/res_send.c
-@@ -1,3 +1,20 @@
-+/* Copyright (C) 2016 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
- /*
-  * Copyright (c) 1985, 1989, 1993
-  *    The Regents of the University of California.  All rights reserved.
-@@ -361,6 +378,8 @@ __libc_res_nsend(res_state statp, const
- #ifdef USE_HOOKS
- 	if (__glibc_unlikely (statp->qhook || statp->rhook))       {
- 		if (anssiz < MAXPACKET && ansp) {
-+			/* Always allocate MAXPACKET, callers expect
-+			   this specific size.  */
- 			u_char *buf = malloc (MAXPACKET);
- 			if (buf == NULL)
- 				return (-1);
-@@ -660,6 +679,77 @@ libresolv_hidden_def (res_nsend)
- 
- /* Private */
- 
-+/* The send_vc function is responsible for sending a DNS query over TCP
-+   to the nameserver numbered NS from the res_state STATP i.e.
-+   EXT(statp).nssocks[ns].  The function supports sending both IPv4 and
-+   IPv6 queries at the same serially on the same socket.
-+
-+   Please note that for TCP there is no way to disable sending both
-+   queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
-+   and sends the queries serially and waits for the result after each
-+   sent query.  This implemetnation should be corrected to honour these
-+   options.
-+
-+   Please also note that for TCP we send both queries over the same
-+   socket one after another.  This technically violates best practice
-+   since the server is allowed to read the first query, respond, and
-+   then close the socket (to service another client).  If the server
-+   does this, then the remaining second query in the socket data buffer
-+   will cause the server to send the client an RST which will arrive
-+   asynchronously and the client's OS will likely tear down the socket
-+   receive buffer resulting in a potentially short read and lost
-+   response data.  This will force the client to retry the query again,
-+   and this process may repeat until all servers and connection resets
-+   are exhausted and then the query will fail.  It's not known if this
-+   happens with any frequency in real DNS server implementations.  This
-+   implementation should be corrected to use two sockets by default for
-+   parallel queries.
-+
-+   The query stored in BUF of BUFLEN length is sent first followed by
-+   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
-+   serially on the same socket.
-+
-+   Answers to the query are stored firstly in *ANSP up to a max of
-+   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
-+   is non-NULL (to indicate that modifying the answer buffer is allowed)
-+   then malloc is used to allocate a new response buffer and ANSCP and
-+   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
-+   are needed but ANSCP is NULL, then as much of the response as
-+   possible is read into the buffer, but the results will be truncated.
-+   When truncation happens because of a small answer buffer the DNS
-+   packets header feild TC will bet set to 1, indicating a truncated
-+   message and the rest of the socket data will be read and discarded.
-+
-+   Answers to the query are stored secondly in *ANSP2 up to a max of
-+   *ANSSIZP2 bytes, with the actual response length stored in
-+   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
-+   is non-NULL (required for a second query) then malloc is used to
-+   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
-+   size and *ANSP2_MALLOCED is set to 1.
-+
-+   The ANSP2_MALLOCED argument will eventually be removed as the
-+   change in buffer pointer can be used to detect the buffer has
-+   changed and that the caller should use free on the new buffer.
-+
-+   Note that the answers may arrive in any order from the server and
-+   therefore the first and second answer buffers may not correspond to
-+   the first and second queries.
-+
-+   It is not supported to call this function with a non-NULL ANSP2
-+   but a NULL ANSCP.  Put another way, you can call send_vc with a
-+   single unmodifiable buffer or two modifiable buffers, but no other
-+   combination is supported.
-+
-+   It is the caller's responsibility to free the malloc allocated
-+   buffers by detecting that the pointers have changed from their
-+   original values i.e. *ANSCP or *ANSP2 has changed.
-+
-+   If errors are encountered then *TERRNO is set to an appropriate
-+   errno value and a zero result is returned for a recoverable error,
-+   and a less-than zero result is returned for a non-recoverable error.
-+
-+   If no errors are encountered then *TERRNO is left unmodified and
-+   a the length of the first response in bytes is returned.  */
- static int
- send_vc(res_state statp,
- 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
-@@ -669,11 +759,7 @@ send_vc(res_state statp,
- {
- 	const HEADER *hp = (HEADER *) buf;
- 	const HEADER *hp2 = (HEADER *) buf2;
--	u_char *ans = *ansp;
--	int orig_anssizp = *anssizp;
--	// XXX REMOVE
--	// int anssiz = *anssizp;
--	HEADER *anhp = (HEADER *) ans;
-+	HEADER *anhp = (HEADER *) *ansp;
- 	struct sockaddr *nsap = get_nsaddr (statp, ns);
- 	int truncating, connreset, n;
- 	/* On some architectures compiler might emit a warning indicating
-@@ -766,6 +852,8 @@ send_vc(res_state statp,
- 	 * Receive length & response
- 	 */
- 	int recvresp1 = 0;
-+	/* Skip the second response if there is no second query.
-+           To do that we mark the second response as received.  */
- 	int recvresp2 = buf2 == NULL;
- 	uint16_t rlen16;
-  read_len:
-@@ -802,40 +890,14 @@ send_vc(res_state statp,
- 	u_char **thisansp;
- 	int *thisresplenp;
- 	if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
-+		/* We have not received any responses
-+		   yet or we only have one response to
-+		   receive.  */
- 		thisanssizp = anssizp;
- 		thisansp = anscp ?: ansp;
- 		assert (anscp != NULL || ansp2 == NULL);
- 		thisresplenp = &resplen;
- 	} else {
--		if (*anssizp != MAXPACKET) {
--			/* No buffer allocated for the first
--			   reply.  We can try to use the rest
--			   of the user-provided buffer.  */
--#if __GNUC_PREREQ (4, 7)
--			DIAG_PUSH_NEEDS_COMMENT;
--			DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
--#endif
--#if _STRING_ARCH_unaligned
--			*anssizp2 = orig_anssizp - resplen;
--			*ansp2 = *ansp + resplen;
--#else
--			int aligned_resplen
--			  = ((resplen + __alignof__ (HEADER) - 1)
--			     & ~(__alignof__ (HEADER) - 1));
--			*anssizp2 = orig_anssizp - aligned_resplen;
--			*ansp2 = *ansp + aligned_resplen;
--#endif
--#if __GNUC_PREREQ (4, 7)
--			DIAG_POP_NEEDS_COMMENT;
--#endif
--		} else {
--			/* The first reply did not fit into the
--			   user-provided buffer.  Maybe the second
--			   answer will.  */
--			*anssizp2 = orig_anssizp;
--			*ansp2 = *ansp;
--		}
--
- 		thisanssizp = anssizp2;
- 		thisansp = ansp2;
- 		thisresplenp = resplen2;
-@@ -843,10 +905,14 @@ send_vc(res_state statp,
- 	anhp = (HEADER *) *thisansp;
- 
- 	*thisresplenp = rlen;
--	if (rlen > *thisanssizp) {
--		/* Yes, we test ANSCP here.  If we have two buffers
--		   both will be allocatable.  */
--		if (__glibc_likely (anscp != NULL))       {
-+	/* Is the answer buffer too small?  */
-+	if (*thisanssizp < rlen) {
-+		/* If the current buffer is non-NULL and it's not
-+		   pointing at the static user-supplied buffer then
-+		   we can reallocate it.  */
-+		if (thisansp != NULL && thisansp != ansp) {
-+			/* Always allocate MAXPACKET, callers expect
-+			   this specific size.  */
- 			u_char *newp = malloc (MAXPACKET);
- 			if (newp == NULL) {
- 				*terrno = ENOMEM;
-@@ -858,6 +924,9 @@ send_vc(res_state statp,
- 			if (thisansp == ansp2)
- 			  *ansp2_malloced = 1;
- 			anhp = (HEADER *) newp;
-+			/* A uint16_t can't be larger than MAXPACKET
-+			   thus it's safe to allocate MAXPACKET but
-+			   read RLEN bytes instead.  */
- 			len = rlen;
- 		} else {
- 			Dprint(statp->options & RES_DEBUG,
-@@ -1021,6 +1090,66 @@ reopen (res_state statp, int *terrno, in
- 	return 1;
- }
- 
-+/* The send_dg function is responsible for sending a DNS query over UDP
-+   to the nameserver numbered NS from the res_state STATP i.e.
-+   EXT(statp).nssocks[ns].  The function supports IPv4 and IPv6 queries
-+   along with the ability to send the query in parallel for both stacks
-+   (default) or serially (RES_SINGLKUP).  It also supports serial lookup
-+   with a close and reopen of the socket used to talk to the server
-+   (RES_SNGLKUPREOP) to work around broken name servers.
-+
-+   The query stored in BUF of BUFLEN length is sent first followed by
-+   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
-+   in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
-+
-+   Answers to the query are stored firstly in *ANSP up to a max of
-+   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
-+   is non-NULL (to indicate that modifying the answer buffer is allowed)
-+   then malloc is used to allocate a new response buffer and ANSCP and
-+   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
-+   are needed but ANSCP is NULL, then as much of the response as
-+   possible is read into the buffer, but the results will be truncated.
-+   When truncation happens because of a small answer buffer the DNS
-+   packets header feild TC will bet set to 1, indicating a truncated
-+   message, while the rest of the UDP packet is discarded.
-+
-+   Answers to the query are stored secondly in *ANSP2 up to a max of
-+   *ANSSIZP2 bytes, with the actual response length stored in
-+   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
-+   is non-NULL (required for a second query) then malloc is used to
-+   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
-+   size and *ANSP2_MALLOCED is set to 1.
-+
-+   The ANSP2_MALLOCED argument will eventually be removed as the
-+   change in buffer pointer can be used to detect the buffer has
-+   changed and that the caller should use free on the new buffer.
-+
-+   Note that the answers may arrive in any order from the server and
-+   therefore the first and second answer buffers may not correspond to
-+   the first and second queries.
-+
-+   It is not supported to call this function with a non-NULL ANSP2
-+   but a NULL ANSCP.  Put another way, you can call send_vc with a
-+   single unmodifiable buffer or two modifiable buffers, but no other
-+   combination is supported.
-+
-+   It is the caller's responsibility to free the malloc allocated
-+   buffers by detecting that the pointers have changed from their
-+   original values i.e. *ANSCP or *ANSP2 has changed.
-+
-+   If an answer is truncated because of UDP datagram DNS limits then
-+   *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
-+   the caller to retry with TCP.  The value *GOTSOMEWHERE is set to 1
-+   if any progress was made reading a response from the nameserver and
-+   is used by the caller to distinguish between ECONNREFUSED and
-+   ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
-+
-+   If errors are encountered then *TERRNO is set to an appropriate
-+   errno value and a zero result is returned for a recoverable error,
-+   and a less-than zero result is returned for a non-recoverable error.
-+
-+   If no errors are encountered then *TERRNO is left unmodified and
-+   a the length of the first response in bytes is returned.  */
- static int
- send_dg(res_state statp,
- 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
-@@ -1030,8 +1159,6 @@ send_dg(res_state statp,
- {
- 	const HEADER *hp = (HEADER *) buf;
- 	const HEADER *hp2 = (HEADER *) buf2;
--	u_char *ans = *ansp;
--	int orig_anssizp = *anssizp;
- 	struct timespec now, timeout, finish;
- 	struct pollfd pfd[1];
- 	int ptimeout;
-@@ -1064,6 +1191,8 @@ send_dg(res_state statp,
- 	int need_recompute = 0;
- 	int nwritten = 0;
- 	int recvresp1 = 0;
-+	/* Skip the second response if there is no second query.
-+           To do that we mark the second response as received.  */
- 	int recvresp2 = buf2 == NULL;
- 	pfd[0].fd = EXT(statp).nssocks[ns];
- 	pfd[0].events = POLLOUT;
-@@ -1227,55 +1356,56 @@ send_dg(res_state statp,
- 		int *thisresplenp;
- 
- 		if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
-+			/* We have not received any responses
-+			   yet or we only have one response to
-+			   receive.  */
- 			thisanssizp = anssizp;
- 			thisansp = anscp ?: ansp;
- 			assert (anscp != NULL || ansp2 == NULL);
- 			thisresplenp = &resplen;
- 		} else {
--			if (*anssizp != MAXPACKET) {
--				/* No buffer allocated for the first
--				   reply.  We can try to use the rest
--				   of the user-provided buffer.  */
--#if _STRING_ARCH_unaligned
--				*anssizp2 = orig_anssizp - resplen;
--				*ansp2 = *ansp + resplen;
--#else
--				int aligned_resplen
--				  = ((resplen + __alignof__ (HEADER) - 1)
--				     & ~(__alignof__ (HEADER) - 1));
--				*anssizp2 = orig_anssizp - aligned_resplen;
--				*ansp2 = *ansp + aligned_resplen;
--#endif
--			} else {
--				/* The first reply did not fit into the
--				   user-provided buffer.  Maybe the second
--				   answer will.  */
--				*anssizp2 = orig_anssizp;
--				*ansp2 = *ansp;
--			}
--
- 			thisanssizp = anssizp2;
- 			thisansp = ansp2;
- 			thisresplenp = resplen2;
- 		}
- 
- 		if (*thisanssizp < MAXPACKET
--		    /* Yes, we test ANSCP here.  If we have two buffers
--		       both will be allocatable.  */
--		    && anscp
-+		    /* If the current buffer is non-NULL and it's not
-+		       pointing at the static user-supplied buffer then
-+		       we can reallocate it.  */
-+		    && (thisansp != NULL && thisansp != ansp)
- #ifdef FIONREAD
-+		    /* Is the size too small?  */
- 		    && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
- 			|| *thisanssizp < *thisresplenp)
- #endif
-                     ) {
-+			/* Always allocate MAXPACKET, callers expect
-+			   this specific size.  */
- 			u_char *newp = malloc (MAXPACKET);
- 			if (newp != NULL) {
--				*anssizp = MAXPACKET;
--				*thisansp = ans = newp;
-+				*thisanssizp = MAXPACKET;
-+				*thisansp = newp;
- 				if (thisansp == ansp2)
- 				  *ansp2_malloced = 1;
- 			}
- 		}
-+		/* We could end up with truncation if anscp was NULL
-+		   (not allowed to change caller's buffer) and the
-+		   response buffer size is too small.  This isn't a
-+		   reliable way to detect truncation because the ioctl
-+		   may be an inaccurate report of the UDP message size.
-+		   Therefore we use this only to issue debug output.
-+		   To do truncation accurately with UDP we need
-+		   MSG_TRUNC which is only available on Linux.  We
-+		   can abstract out the Linux-specific feature in the
-+		   future to detect truncation.  */
-+		if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
-+			Dprint(statp->options & RES_DEBUG,
-+			       (stdout, ";; response may be truncated (UDP)\n")
-+			);
-+		}
-+
- 		HEADER *anhp = (HEADER *) *thisansp;
- 		socklen_t fromlen = sizeof(struct sockaddr_in6);
- 		assert (sizeof(from) <= fromlen);
diff --git a/gnu/packages/patches/glibc-hurd-extern-inline.patch b/gnu/packages/patches/glibc-hurd-extern-inline.patch
deleted file mode 100644
index a609b1f54a..0000000000
--- a/gnu/packages/patches/glibc-hurd-extern-inline.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-This changes the way _EXTERN_INLINE is defined so we can
-avoid external definition errors.
-https://lists.gnu.org/archive/html/bug-hurd/2014-04/msg00002.html
-
-diff --git a/signal/sigsetops.c b/signal/sigsetops.c
-index 0317662..b92c296 100644
---- a/signal/sigsetops.c
-+++ b/signal/sigsetops.c
-@@ -3,7 +3,9 @@
- 
- #include <features.h>
- 
--#define _EXTERN_INLINE
-+#ifndef _EXTERN_INLINE
-+#define _EXTERN_INLINE __extern_inline
-+#endif
- #ifndef __USE_EXTERN_INLINES
- # define __USE_EXTERN_INLINES  1
- #endif
-
-Link libmachuser and libhurduser automatically with libc, since they are
-considered a standard part of the API in GNU-land.
-
---- a/Makerules
-+++ b/Makerules
-@@ -978,6 +978,9 @@
- 	      '$(libdir)/$(patsubst %,$(libtype.oS),$(libprefix)$(libc-name))'\
-	      ' AS_NEEDED (' $(rtlddir)/$(rtld-installed-name) ') )' \
- 	) > $@.new
-+ifeq ($(patsubst gnu%,,$(config-os)),)
-+	echo 'INPUT ( AS_NEEDED ( -lmachuser -lhurduser ) )' >> $@.new
-+endif
- 	mv -f $@.new $@
- 
- endif
\ No newline at end of file
diff --git a/gnu/packages/patches/glibc-locale-incompatibility.patch b/gnu/packages/patches/glibc-locale-incompatibility.patch
deleted file mode 100644
index baf30a79a7..0000000000
--- a/gnu/packages/patches/glibc-locale-incompatibility.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-This patch avoids an assertion failure when incompatible locale data
-is encountered:
-
-  https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html
-
---- glibc-2.22/locale/loadlocale.c	2015-09-22 17:16:02.321981548 +0200
-+++ glibc-2.22/locale/loadlocale.c	2015-09-22 17:17:34.814659064 +0200
-@@ -120,10 +120,11 @@
- 	 _nl_value_type_LC_XYZ array.  There are all pointers.  */
-       switch (category)
- 	{
--#define CATTEST(cat) \
--	case LC_##cat:							      \
--	  assert (cnt < (sizeof (_nl_value_type_LC_##cat)		      \
--			 / sizeof (_nl_value_type_LC_##cat[0])));	      \
-+#define CATTEST(cat)						\
-+	case LC_##cat:						\
-+	  if (cnt >= (sizeof (_nl_value_type_LC_##cat)		\
-+		      / sizeof (_nl_value_type_LC_##cat[0])))	\
-+	    goto puntdata;					\
- 	  break
- 	  CATTEST (NUMERIC);
- 	  CATTEST (TIME);
diff --git a/gnu/packages/patches/libarchive-CVE-2013-0211.patch b/gnu/packages/patches/libarchive-CVE-2013-0211.patch
deleted file mode 100644
index b024a7d4a8..0000000000
--- a/gnu/packages/patches/libarchive-CVE-2013-0211.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Description: Fix CVE-2013-0211: read buffer overflow on 64-bit systems
-Origin: upstream
-Bug-Debian: http://bugs.debian.org/703957
-Forwarded: not-needed
-
---- libarchive-3.0.4.orig/libarchive/archive_write.c
-+++ libarchive-3.0.4/libarchive/archive_write.c
-@@ -665,8 +665,13 @@ static ssize_t
- _archive_write_data(struct archive *_a, const void *buff, size_t s)
- {
- 	struct archive_write *a = (struct archive_write *)_a;
-+	const size_t max_write = INT_MAX;
-+
- 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
- 	    ARCHIVE_STATE_DATA, "archive_write_data");
-+	/* In particular, this catches attempts to pass negative values. */
-+	if (s > max_write)
-+		s = max_write;
- 	archive_clear_error(&a->archive);
- 	return ((a->format_write_data)(a, buff, s));
- }
diff --git a/gnu/packages/patches/libarchive-CVE-2016-1541.patch b/gnu/packages/patches/libarchive-CVE-2016-1541.patch
deleted file mode 100644
index 6ac8773244..0000000000
--- a/gnu/packages/patches/libarchive-CVE-2016-1541.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-Fix CVE-2016-1541 (buffer overflow zip_read_mac_metadata)
-
-Taken from upstream source repository:
-https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7
-
-When reading OS X metadata entries in Zip archives that were stored
-without compression, libarchive would use the uncompressed entry size
-to allocate a buffer but would use the compressed entry size to limit
-the amount of data copied into that buffer.  Since the compressed
-and uncompressed sizes are provided by data in the archive itself,
-an attacker could manipulate these values to write data beyond
-the end of the allocated buffer.
-
-This fix provides three new checks to guard against such
-manipulation and to make libarchive generally more robust when
-handling this type of entry:
- 1. If an OS X metadata entry is stored without compression,
-    abort the entire archive if the compressed and uncompressed
-    data sizes do not match.
- 2. When sanity-checking the size of an OS X metadata entry,
-    abort this entry if either the compressed or uncompressed
-    size is larger than 4MB.
- 3. When copying data into the allocated buffer, check the copy
-    size against both the compressed entry size and uncompressed
-    entry size.
----
- libarchive/archive_read_support_format_zip.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
-index 0f8262c..0a0be96 100644
---- a/libarchive/archive_read_support_format_zip.c
-+++ b/libarchive/archive_read_support_format_zip.c
-@@ -2778,6 +2778,11 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
- 
- 	switch(rsrc->compression) {
- 	case 0:  /* No compression. */
-+		if (rsrc->uncompressed_size != rsrc->compressed_size) {
-+			archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-+			    "Malformed OS X metadata entry: inconsistent size");
-+			return (ARCHIVE_FATAL);
-+		}
- #ifdef HAVE_ZLIB_H
- 	case 8: /* Deflate compression. */
- #endif
-@@ -2798,6 +2803,12 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
- 		    (intmax_t)rsrc->uncompressed_size);
- 		return (ARCHIVE_WARN);
- 	}
-+	if (rsrc->compressed_size > (4 * 1024 * 1024)) {
-+		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
-+		    "Mac metadata is too large: %jd > 4M bytes",
-+		    (intmax_t)rsrc->compressed_size);
-+		return (ARCHIVE_WARN);
-+	}
- 
- 	metadata = malloc((size_t)rsrc->uncompressed_size);
- 	if (metadata == NULL) {
-@@ -2836,6 +2847,8 @@ zip_read_mac_metadata(struct archive_read *a, struct archive_entry *entry,
- 			bytes_avail = remaining_bytes;
- 		switch(rsrc->compression) {
- 		case 0:  /* No compression. */
-+			if ((size_t)bytes_avail > metadata_bytes)
-+				bytes_avail = metadata_bytes;
- 			memcpy(mp, p, bytes_avail);
- 			bytes_used = (size_t)bytes_avail;
- 			metadata_bytes -= bytes_used;
diff --git a/gnu/packages/patches/libarchive-bsdtar-test.patch b/gnu/packages/patches/libarchive-bsdtar-test.patch
deleted file mode 100644
index 6a533a9a07..0000000000
--- a/gnu/packages/patches/libarchive-bsdtar-test.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-commit b539b2e597b566fe3c4b49cb61c9eef83e5e052d
-Author: Pavel Raiskup <praiskup@redhat.com>
-Date:   Thu Jun 27 16:01:30 2013 +0200
-
-    Use ustar format in the test_option_b test
-    
-    .. because the ustar archive does not store SELinux context.  As the default
-    format for bsdtar is "restricted pax" (trying to store xattrs and other
-    things by default), the test failed on Fedora because our files have by
-    default SELinux context set.  This results in additional data in tested
-    archive ~> and the test failed because the archive was unexpectedly big:
-    
-     tar/test/test_option_b.c:41: File archive1.tar has size 3072, expected 2048
-    
-    Reviewed by Konrad Kleine <konrad.wilhelm.kleine@gmail.com>
-
-diff --git a/tar/test/test_option_b.c b/tar/test/test_option_b.c
-index be2ae65..6fea474 100644
---- a/tar/test/test_option_b.c
-+++ b/tar/test/test_option_b.c
-@@ -25,8 +25,14 @@
- #include "test.h"
- __FBSDID("$FreeBSD$");
- 
-+#define USTAR_OPT " --format=ustar"
-+
- DEFINE_TEST(test_option_b)
- {
-+	char *testprog_ustar = malloc(strlen(testprog) + sizeof(USTAR_OPT) + 1);
-+	strcpy(testprog_ustar, testprog);
-+	strcat(testprog_ustar, USTAR_OPT);
-+
- 	assertMakeFile("file1", 0644, "file1");
- 	if (systemf("cat file1 > test_cat.out 2> test_cat.err") != 0) {
- 		skipping("Platform doesn't have cat");
-@@ -36,7 +42,7 @@ DEFINE_TEST(test_option_b)
- 	/*
- 	 * Bsdtar does not pad if the output is going directly to a disk file.
- 	 */
--	assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog));
-+	assertEqualInt(0, systemf("%s -cf archive1.tar file1 >test1.out 2>test1.err", testprog_ustar));
- 	failure("bsdtar does not pad archives written directly to regular files");
- 	assertFileSize("archive1.tar", 2048);
- 	assertEmptyFile("test1.out");
-@@ -46,24 +52,24 @@ DEFINE_TEST(test_option_b)
- 	 * Bsdtar does pad to the block size if the output is going to a socket.
- 	 */
- 	/* Default is -b 20 */
--	assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog));
-+	assertEqualInt(0, systemf("%s -cf - file1 2>test2.err | cat >archive2.tar ", testprog_ustar));
- 	failure("bsdtar does pad archives written to pipes");
- 	assertFileSize("archive2.tar", 10240);
- 	assertEmptyFile("test2.err");
- 
--	assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog));
-+	assertEqualInt(0, systemf("%s -cf - -b 20 file1 2>test3.err | cat >archive3.tar ", testprog_ustar));
- 	assertFileSize("archive3.tar", 10240);
- 	assertEmptyFile("test3.err");
- 
--	assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog));
-+	assertEqualInt(0, systemf("%s -cf - -b 10 file1 2>test4.err | cat >archive4.tar ", testprog_ustar));
- 	assertFileSize("archive4.tar", 5120);
- 	assertEmptyFile("test4.err");
- 
--	assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog));
-+	assertEqualInt(0, systemf("%s -cf - -b 1 file1 2>test5.err | cat >archive5.tar ", testprog_ustar));
- 	assertFileSize("archive5.tar", 2048);
- 	assertEmptyFile("test5.err");
- 
--	assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog));
-+	assertEqualInt(0, systemf("%s -cf - -b 8192 file1 2>test6.err | cat >archive6.tar ", testprog_ustar));
- 	assertFileSize("archive6.tar", 4194304);
- 	assertEmptyFile("test6.err");
- 
diff --git a/gnu/packages/patches/libarchive-fix-lzo-test-case.patch b/gnu/packages/patches/libarchive-fix-lzo-test-case.patch
deleted file mode 100644
index ffdc0db922..0000000000
--- a/gnu/packages/patches/libarchive-fix-lzo-test-case.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-Description: This patch fixes test cases for LZO write support in various
- architectures, such as armhf. Writing a certain amount of files would
- cause the LZO compressor level 9 to produce a bigger archive than the
- default compressor level.
-Author: Andres Mejia <amejia@debian.org>
-
---- a/libarchive/test/test_write_filter_lzop.c
-+++ b/libarchive/test/test_write_filter_lzop.c
-@@ -39,7 +39,7 @@
- 	size_t buffsize, datasize;
- 	char path[16];
- 	size_t used1, used2;
--	int i, r, use_prog = 0;
-+	int i, r, use_prog = 0, filecount;
- 
- 	assert((a = archive_write_new()) != NULL);
- 	r = archive_write_add_filter_lzop(a);
-@@ -58,9 +58,10 @@
- 
- 	datasize = 10000;
- 	assert(NULL != (data = (char *)calloc(1, datasize)));
-+	filecount = 10;
- 
- 	/*
--	 * Write a 100 files and read them all back.
-+	 * Write a filecount files and read them all back.
- 	 */
- 	assert((a = archive_write_new()) != NULL);
- 	assertEqualIntA(a, ARCHIVE_OK, archive_write_set_format_ustar(a));
-@@ -77,7 +78,7 @@
- 	assert((ae = archive_entry_new()) != NULL);
- 	archive_entry_set_filetype(ae, AE_IFREG);
- 	archive_entry_set_size(ae, datasize);
--	for (i = 0; i < 100; i++) {
-+	for (i = 0; i < filecount; i++) {
- 		sprintf(path, "file%03d", i);
- 		archive_entry_copy_pathname(ae, path);
- 		assertEqualIntA(a, ARCHIVE_OK, archive_write_header(a, ae));
-@@ -97,7 +98,7 @@
- 	} else {
- 		assertEqualIntA(a, ARCHIVE_OK,
- 		    archive_read_open_memory(a, buff, used1));
--		for (i = 0; i < 100; i++) {
-+		for (i = 0; i < filecount; i++) {
- 			sprintf(path, "file%03d", i);
- 			if (!assertEqualInt(ARCHIVE_OK,
- 				archive_read_next_header(a, &ae)))
-@@ -133,7 +134,7 @@
- 	    archive_write_set_options(a, "lzop:compression-level=9"));
- 	assertEqualIntA(a, ARCHIVE_OK,
- 	    archive_write_open_memory(a, buff, buffsize, &used2));
--	for (i = 0; i < 100; i++) {
-+	for (i = 0; i < filecount; i++) {
- 		sprintf(path, "file%03d", i);
- 		assert((ae = archive_entry_new()) != NULL);
- 		archive_entry_copy_pathname(ae, path);
-@@ -161,7 +162,7 @@
- 		    archive_read_support_filter_all(a));
- 		assertEqualIntA(a, ARCHIVE_OK,
- 		    archive_read_open_memory(a, buff, used2));
--		for (i = 0; i < 100; i++) {
-+		for (i = 0; i < filecount; i++) {
- 			sprintf(path, "file%03d", i);
- 			if (!assertEqualInt(ARCHIVE_OK,
- 				archive_read_next_header(a, &ae)))
-@@ -186,7 +187,7 @@
- 	    archive_write_set_filter_option(a, NULL, "compression-level", "1"));
- 	assertEqualIntA(a, ARCHIVE_OK,
- 	    archive_write_open_memory(a, buff, buffsize, &used2));
--	for (i = 0; i < 100; i++) {
-+	for (i = 0; i < filecount; i++) {
- 		sprintf(path, "file%03d", i);
- 		assert((ae = archive_entry_new()) != NULL);
- 		archive_entry_copy_pathname(ae, path);
-@@ -216,7 +217,7 @@
- 	} else {
- 		assertEqualIntA(a, ARCHIVE_OK,
- 		    archive_read_open_memory(a, buff, used2));
--		for (i = 0; i < 100; i++) {
-+		for (i = 0; i < filecount; i++) {
- 			sprintf(path, "file%03d", i);
- 			if (!assertEqualInt(ARCHIVE_OK,
- 				archive_read_next_header(a, &ae)))
diff --git a/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch b/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch
deleted file mode 100644
index ad94592c05..0000000000
--- a/gnu/packages/patches/libarchive-mtree-filename-length-fix.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Description: Patch to fix filename length calculation when writing mtree archives.
-Author: Dave Reisner <dreisner@archlinux.org>
-Origin: upstream
-
---- a/libarchive/archive_write_set_format_mtree.c
-+++ b/libarchive/archive_write_set_format_mtree.c
-@@ -1855,9 +1855,9 @@
- 		return (ret);
- 	}
- 
--	/* Make a basename from dirname and slash */
-+	/* Make a basename from file->parentdir.s and slash */
- 	*slash  = '\0';
--	file->parentdir.length = slash - dirname;
-+	file->parentdir.length = slash - file->parentdir.s;
- 	archive_strcpy(&(file->basename),  slash + 1);
- 	return (ret);
- }
diff --git a/gnu/packages/patches/libpthread-glibc-preparation.patch b/gnu/packages/patches/libpthread-glibc-preparation.patch
deleted file mode 100644
index a43245436c..0000000000
--- a/gnu/packages/patches/libpthread-glibc-preparation.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-This patch helps to integrate the Hurd's libpthread as a libc add-on.
-
-It writes the configure file, removes an rpc call not yet 
-implemented on the version of gnumach we use and defines
-a missing macro.
-
-diff --git a/libpthread/configure b/libpthread/configure
-new file mode 100644
-index 0000000..2cdbc71
---- /dev/null
-+++ b/libpthread/configure
-@@ -0,0 +1,2 @@
-+libc_add_on_canonical=libpthread
-+libc_add_on_subdirs=.
--- 
-1.9.0
-
-We are using a version of GNU Mach that lacks 'thread_terminate_release'
-(not introduced yet).  The 'thread_terminate' RPC call will be enough for
-our needs.
-See <http://lists.gnu.org/archive/html/bug-hurd/2014-05/msg00127.html>.
-
-diff --git a/libpthread/sysdeps/mach/pt-thread-terminate.c b/libpthread/sysdeps/mach/pt-thread-terminate.c
-index 6672065..129a611 100644
---- a/libpthread/sysdeps/mach/pt-thread-terminate.c
-+++ b/libpthread/sysdeps/mach/pt-thread-terminate.c
-@@ -70,9 +70,9 @@ __pthread_thread_terminate (struct __pthread *thread)
-   __mach_port_destroy (__mach_task_self (), wakeup_port);
- 
-   /* Terminate and release all that's left.  */
--  err = __thread_terminate_release (kernel_thread, mach_task_self (),
--				    kernel_thread, reply_port,
--				    stackaddr, stacksize);
-+  /* err = __thread_terminate_release (kernel_thread, mach_task_self (), */
-+  /* 				    kernel_thread, reply_port, */
-+  /* 				    stackaddr, stacksize); */
- 
-   /* The kernel does not support it yet.  Leak but at least terminate
-      correctly.  */
--- 
-1.9.2
-
-The __PTHREAD_SPIN_LOCK_INITIALIZER definition is missing, so we 
-define it to __SPIN_LOCK_INITIALIZER which already exists.
-See <http://lists.gnu.org/archive/html/commit-hurd/2009-04/msg00006.html>.
-  
-diff --git a/libpthread/sysdeps/mach/bits/spin-lock.h b/libpthread/sysdeps/mach/bits/spin-lock.h
-index 537dac9..fca0e5a 100644
---- a/libpthread/sysdeps/mach/bits/spin-lock.h
-+++ b/libpthread/sysdeps/mach/bits/spin-lock.h
-@@ -30,7 +30,7 @@ typedef __spin_lock_t __pthread_spinlock_t;
- 
- /* Initializer for a spin lock object.  */
- #ifndef __PTHREAD_SPIN_LOCK_INITIALIZER
--#error __PTHREAD_SPIN_LOCK_INITIALIZER undefined: should be defined by <lock-intern.h>.
-+#define __PTHREAD_SPIN_LOCK_INITIALIZER __SPIN_LOCK_INITIALIZER
- #endif
- 
- __END_DECLS
-
-The version of the glibc we use doesn't include the shm-directory.c file and does
-not yet support IS_IN.
-See <https://lists.gnu.org/archive/html/bug-hurd/2015-03/msg00078.html>
-
-diff --git a/libpthread/Makefile b/libpthread/Makefile
-index 2906788..b8dee58 100644
---- a/libpthread/Makefile
-+++ b/libpthread/Makefile
-@@ -149,8 +149,6 @@ libpthread-routines := pt-attr pt-attr-destroy pt-attr-getdetachstate	    \
- 	sem-post sem-timedwait sem-trywait sem-unlink			    \
- 	sem-wait							    \
- 									    \
--	shm-directory							    \
--									    \
- 	cthreads-compat							    \
- 	$(SYSDEPS)
- 
--- 
-2.3.6
-
-diff --git a/libpthread/pthread/pt-create.c b/libpthread/pthread/pt-create.c
-index d88afae..84044dc 100644
---- a/libpthread/pthread/pt-create.c
-+++ b/libpthread/pthread/pt-create.c
-@@ -28,7 +28,7 @@
- 
- #include <pt-internal.h>
- 
--#if IS_IN (libpthread)
-+#ifdef IS_IN_libpthread
- # include <ctype.h>
- #endif
- #ifdef HAVE_USELOCALE
-@@ -50,7 +50,7 @@ entry_point (struct __pthread *self, void *(*start_routine)(void *), void *arg)
-   __resp = &self->res_state;
- #endif
- 
--#if IS_IN (libpthread)
-+#ifdef IS_IN_libpthread
-   /* Initialize pointers to locale data.  */
-   __ctype_init ();
- #endif
-diff --git a/libpthread/pthread/pt-initialize.c b/libpthread/pthread/pt-initialize.c
-index 9e5404b..b9cacbd 100644
---- a/libpthread/pthread/pt-initialize.c
-+++ b/libpthread/pthread/pt-initialize.c
-@@ -28,7 +28,7 @@
- 
- DEFINE_HOOK (__pthread_init, (void));
- 
--#if IS_IN (libpthread)
-+#ifdef IS_IN_libpthread
- static const struct pthread_functions pthread_functions =
-   {
-     .ptr_pthread_attr_destroy = __pthread_attr_destroy,
-@@ -81,7 +81,7 @@ static const struct pthread_functions pthread_functions =
- void
- ___pthread_init (void)
- {
--#if IS_IN (libpthread)
-+#ifdef IS_IN_libpthread
-   __libc_pthread_init(&pthread_functions);
- #endif
-   RUN_HOOK (__pthread_init, ());
-diff --git a/libpthread/pthread/pt-internal.h b/libpthread/pthread/pt-internal.h
-index 18b5b4c..8cdcfce 100644
---- a/libpthread/pthread/pt-internal.h
-+++ b/libpthread/pthread/pt-internal.h
-@@ -35,7 +35,7 @@
- #include <pt-sysdep.h>
- #include <pt-machdep.h>
- 
--#if IS_IN (libpthread)
-+#ifdef IS_IN_libpthread
- # include <ldsodefs.h>
- #endif
- 
-@@ -60,7 +60,7 @@ enum pthread_state
- # define PTHREAD_SYSDEP_MEMBERS
- #endif
- 
--#if !(IS_IN (libpthread))
-+#ifndef IS_IN_libpthread
- #ifdef ENABLE_TLS
- /* Type of the TCB.  */
- typedef struct
diff --git a/gnu/packages/patches/libxslt-generated-ids.patch b/gnu/packages/patches/libxslt-generated-ids.patch
new file mode 100644
index 0000000000..4273875c7c
--- /dev/null
+++ b/gnu/packages/patches/libxslt-generated-ids.patch
@@ -0,0 +1,173 @@
+This makes generated IDs deterministic.
+
+Written by Daniel Veillard.
+
+This should be fixed in next release (2.29).
+See https://bugzilla.gnome.org/show_bug.cgi?id=751621.
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 6448bde..5b00a6d 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -651,6 +651,63 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
+ }
+ 
+ /**
++ * xsltCleanupIds:
++ * @ctxt: the transformation context
++ * @root: the root of the resulting document
++ *
++ * This clean up ids which may have been saved in Element contents
++ * by xsltGenerateIdFunction() to provide stable IDs on elements.
++ *
++ * Returns the number of items cleaned or -1 in case of error
++ */
++int
++xsltCleanupIds(xsltTransformContextPtr ctxt, xmlNodePtr root) {
++    xmlNodePtr cur;
++    int count = 0;
++
++    if ((ctxt == NULL) || (root == NULL))
++        return(-1);
++    if (root->type != XML_ELEMENT_NODE)
++        return(-1);
++
++    cur = root;
++    while (cur != NULL) {
++	if (cur->type == XML_ELEMENT_NODE) {
++	    if (cur->content != NULL) {
++	        cur->content = NULL;
++		count++;
++	    }
++	    if (cur->children != NULL) {
++		cur = cur->children;
++		continue;
++	    }
++	}
++	if (cur->next != NULL) {
++	    cur = cur->next;
++	    continue;
++	}
++	do {
++	    cur = cur->parent;
++	    if (cur == NULL)
++		break;
++	    if (cur == (xmlNodePtr) root) {
++		cur = NULL;
++		break;
++	    }
++	    if (cur->next != NULL) {
++		cur = cur->next;
++		break;
++	    }
++	} while (cur != NULL);
++    }
++
++fprintf(stderr, "Attributed %d IDs for element, cleaned up %d\n",
++        ctxt->nextid, count);
++
++    return(count);
++}
++
++/**
+  * xsltGenerateIdFunction:
+  * @ctxt:  the XPath Parser context
+  * @nargs:  the number of arguments
+@@ -701,7 +758,39 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
+     if (obj)
+         xmlXPathFreeObject(obj);
+ 
+-    val = (long)((char *)cur - (char *)&base_address);
++    /*
++     * Try to provide stable ID for generated document:
++     *   - usually ID are computed to be placed on elements via attributes
++     *     so using the element as the node for the ID
++     *   - the cur->content should be a correct placeholder for this, we use
++     *     it to hold element node numbers in xmlXPathOrderDocElems to
++     *     speed up XPath too
++     *   - xsltCleanupIds() clean them up before handing the XSLT output
++     *     to the API client.
++     *   - other nodes types use the node address method but that should
++     *     not end up in resulting document ID
++     *   - we can enable this by default without risk of performance issues
++     *     only the one pass xsltCleanupIds() is added
++     */
++    if (cur->type == XML_ELEMENT_NODE) {
++        if (cur->content == NULL) {
++	    xsltTransformContextPtr tctxt;
++
++	    tctxt = xsltXPathGetTransformContext(ctxt);
++	    if (tctxt == NULL) {
++		val = (long)((char *)cur - (char *)&base_address);
++	    } else {
++		tctxt->nextid++;
++		val = tctxt->nextid;
++		cur->content = (void *) (val);
++	    }
++	} else {
++	    val = (long) cur->content;
++	}
++    } else {
++	val = (long)((char *)cur - (char *)&base_address);
++    }
++
+     if (val >= 0) {
+       sprintf((char *)str, "idp%ld", val);
+     } else {
+diff --git a/libxslt/functions.h b/libxslt/functions.h
+index e0e0bf9..4a1e163 100644
+--- a/libxslt/functions.h
++++ b/libxslt/functions.h
+@@ -64,6 +64,13 @@ XSLTPUBFUN void XSLTCALL
+ 					 int nargs);
+ 
+ /*
++ * Cleanup for ID generation
++ */
++XSLTPUBFUN int XSLTCALL
++	xsltCleanupIds			(xsltTransformContextPtr ctxt,
++					 xmlNodePtr root);
++
++/*
+  * And the registration
+  */
+ 
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 24f9eb2..2bdf6bf 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -700,6 +700,7 @@ xsltNewTransformContext(xsltStylesheetPtr style, xmlDocPtr doc) {
+     cur->traceCode = (unsigned long*) &xsltDefaultTrace;
+     cur->xinclude = xsltGetXIncludeDefault();
+     cur->keyInitLevel = 0;
++    cur->nextid = 0;
+ 
+     return(cur);
+ 
+@@ -6092,6 +6093,13 @@ xsltApplyStylesheetInternal(xsltStylesheetPtr style, xmlDocPtr doc,
+     if (root != NULL) {
+         const xmlChar *doctype = NULL;
+ 
++        /*
++	 * cleanup ids which may have been saved in Elements content ptrs
++	 */
++	if (ctxt->nextid != 0) {
++	    xsltCleanupIds(ctxt, root);
++	}
++
+         if ((root->ns != NULL) && (root->ns->prefix != NULL))
+ 	    doctype = xmlDictQLookup(ctxt->dict, root->ns->prefix, root->name);
+ 	if (doctype == NULL)
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 95e8fe6..8eedae4 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1786,6 +1786,8 @@ struct _xsltTransformContext {
+     int funcLevel;      /* Needed to catch recursive functions issues */
+     int maxTemplateDepth;
+     int maxTemplateVars;
++
++    unsigned long nextid;/* for generating stable ids */
+ };
+ 
+ /**
diff --git a/gnu/packages/patches/libxslt-remove-date-timestamps.patch b/gnu/packages/patches/libxslt-remove-date-timestamps.patch
new file mode 100644
index 0000000000..51470d0847
--- /dev/null
+++ b/gnu/packages/patches/libxslt-remove-date-timestamps.patch
@@ -0,0 +1,66 @@
+Use deterministic SOURCE_DATE_EPOCH for embedded timestamps in generated documentation.
+
+Written by Eduard Sanou.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=758148
+
+--- libxslt-1.1.28.orig/libexslt/date.c
++++ libxslt-1.1.28/libexslt/date.c
+@@ -46,6 +46,7 @@
+ #include "exslt.h"
+ 
+ #include <string.h>
++#include <errno.h>
+ 
+ #ifdef HAVE_MATH_H
+ #include <math.h>
+@@ -747,21 +748,46 @@ static exsltDateValPtr
+ exsltDateCurrent (void)
+ {
+     struct tm localTm, gmTm;
++    struct tm *tb = NULL;
+     time_t secs;
+     int local_s, gm_s;
+     exsltDateValPtr ret;
++    char *source_date_epoch;
+ 
+     ret = exsltDateCreateDate(XS_DATETIME);
+     if (ret == NULL)
+         return NULL;
+ 
+-    /* get current time */
+     secs    = time(NULL);
++    /*
++     * Allow the date and time to be set externally by an exported
++     * environment variable to enable reproducible builds.
++     */
++    source_date_epoch = getenv("SOURCE_DATE_EPOCH");
++    if (source_date_epoch) {
++	errno = 0;
++	secs = (time_t) strtol (source_date_epoch, NULL, 10);
++	if (errno == 0) {
++	    tb = gmtime(&secs);
++	    if (tb == NULL) {
++	    /* SOURCE_DATE_EPOCH is not a valid date */
++		return NULL;
++	    } else {
++		localTm = *tb;
++	    }
++	} else {
++	    /* SOURCE_DATE_EPOCH is not a valid number */
++	    return NULL;
++	}
++    } else {
++	/* get current time */
+ #if HAVE_LOCALTIME_R
+-    localtime_r(&secs, &localTm);
++	localtime_r(&secs, &localTm);
+ #else
+-    localTm = *localtime(&secs);
++	localTm = *localtime(&secs);
+ #endif
++    }
++
+ 
+     /* get real year, not years since 1900 */
+     ret->value.date.year = localTm.tm_year + 1900;
diff --git a/gnu/packages/patches/procps-non-linux.patch b/gnu/packages/patches/procps-non-linux.patch
new file mode 100644
index 0000000000..9d369aeb2c
--- /dev/null
+++ b/gnu/packages/patches/procps-non-linux.patch
@@ -0,0 +1,40 @@
+From aa9bd38d0a6fe53aff7f78fb2d9f61e55677c7b5 Mon Sep 17 00:00:00 2001
+From: Craig Small <csmall@enc.com.au>
+Date: Sun, 17 Apr 2016 09:09:41 +1000
+Subject: [PATCH] tests: Conditionally add prctl to test process
+
+prctl was already bypassed on Cygwin systems. This extends to
+non-Linux systems such as kFreeBSD and Hurd.
+
+---
+ lib/test_process.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/test_process.c b/lib/test_process.c
+index 6e652ed..6a4776c 100644
+--- a/lib/test_process.c
++++ b/lib/test_process.c
+@@ -21,7 +21,9 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <signal.h>
++#ifdef __linux__
+ #include <sys/prctl.h>
++#endif
+ #include "c.h"
+ 
+ #define DEFAULT_SLEEPTIME 300
+@@ -78,8 +80,10 @@
+     sigaction(SIGUSR1, &signal_action, NULL);
+     sigaction(SIGUSR2, &signal_action, NULL);
+ 
++#ifdef __linux__
+     /* set process name */
+     prctl(PR_SET_NAME, MY_NAME, NULL, NULL, NULL);
++#endif
+ 
+     while (sleep_time > 0) {
+ 	sleep_time = sleep(sleep_time);
+-- 
+2.8.2
+
diff --git a/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch b/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch
deleted file mode 100644
index 39d8e2b20a..0000000000
--- a/gnu/packages/patches/tar-d_ino_in_dirent-fix.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-commit e9ddc08da0982f36581ae5a8c7763453ff41cfe8
-Author: Sergey Poznyakoff <gray@gnu.org>
-Date:   Thu Sep 25 00:22:16 2014 +0300
-
-    Bugfixes.
-    
-    * doc/tar.1: Fix typo in font spec.
-    * src/tar.c (sort_mode_arg, sort_mode_flag): Protect "inode"
-    (SAVEDIR_SORT_INODE) with D_INO_IN_DIRENT
-
-diff --git a/src/tar.c b/src/tar.c
-index 225c624..f8102e0 100644
---- a/src/tar.c
-+++ b/src/tar.c
-@@ -1341,14 +1341,18 @@ static char filename_terminator;
- static char const *const sort_mode_arg[] = {
-   "none",
-   "name",
-+#if D_INO_IN_DIRENT
-   "inode",
-+#endif
-   NULL
- };
- 
- static int sort_mode_flag[] = {
-     SAVEDIR_SORT_NONE,
-     SAVEDIR_SORT_NAME,
-+#if D_INO_IN_DIRENT
-     SAVEDIR_SORT_INODE
-+#endif
- };
- 
- ARGMATCH_VERIFY (sort_mode_arg, sort_mode_flag);
\ No newline at end of file
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index e954492554..fe9157af12 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -32,7 +32,6 @@
   (package
    (name "pcre")
    (version "8.38")
-   (replacement pcre-fixed)
    (source (origin
             (method url-fetch)
             (uri (list
@@ -43,15 +42,18 @@
                                  version "/pcre-" version ".tar.bz2")))
             (sha256
              (base32
-              "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r"))))
+              "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r"))
+            (patches (list (search-patch "pcre-CVE-2016-3191.patch")))))
    (build-system gnu-build-system)
-   (outputs '("out"
-              "doc"))                             ;1.8 MiB of HTML
+   (outputs '("out"           ;library & headers
+              "bin"           ;depends on Readline (adds 20MiB to the closure)
+              "doc"))         ;1.8 MiB of HTML
    (inputs `(("bzip2" ,bzip2)
              ("readline" ,readline)
              ("zlib" ,zlib)))
    (arguments
-    `(#:configure-flags '("--enable-utf"
+    '(#:disallowed-references ("doc")
+      #:configure-flags '("--enable-utf"
                           "--enable-pcregrep-libz"
                           "--enable-pcregrep-libbz2"
                           "--enable-pcretest-libreadline"
@@ -68,13 +70,6 @@ POSIX regular expression API.")
    (license license:bsd-3)
    (home-page "http://www.pcre.org/")))
 
-(define pcre-fixed                                ;for CVE-2016-3191
-  (package
-    (inherit pcre)
-    (source (origin
-              (inherit (package-source pcre))
-              (patches (search-patches "pcre-CVE-2016-3191.patch"))))))
-
 (define-public pcre2
   (package
     (name "pcre2")
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index d46bd1f8ba..7c2651764a 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -87,7 +87,10 @@
     `(#:tests? #f ; no test data provided with the tarball
       #:configure-flags
       '("--enable-xpdf-headers" ; to install header files
-        "--enable-zlib")
+        "--enable-zlib"
+
+        ;; Saves 8 MiB of .a files.
+        "--disable-static")
       #:phases
       (alist-cons-before
        'configure 'setenv
@@ -469,27 +472,38 @@ and examining the file structure (pdfshow).")
             (uri (string-append "mirror://sourceforge/qpdf/qpdf-"
                                 version ".tar.gz"))
             (sha256 (base32
-                     "1lq1v7xghvl6p4hgrwbps3a13ad6lh4ib3myimb83hxgsgd4n5nm"))))
+                     "1lq1v7xghvl6p4hgrwbps3a13ad6lh4ib3myimb83hxgsgd4n5nm"))
+            (modules '((guix build utils)))
+            (snippet
+             ;; Replace shebang with the bi-lingual shell/Perl trick to remove
+             ;; dependency on Perl.
+             '(substitute* "qpdf/fix-qdf"
+                (("#!/usr/bin/env perl")
+                 "\
+eval '(exit $?0)' && eval 'exec perl -wS \"$0\" ${1+\"$@\"}'
+  & eval 'exec perl -wS \"$0\" $argv:q'
+    if 0;\n")))))
    (build-system gnu-build-system)
    (arguments
-      '(#:phases (alist-cons-before
-                  'configure 'patch-paths
-                  (lambda _
-                    (substitute* "make/libtool.mk"
-                      (("SHELL=/bin/bash")
-                       (string-append "SHELL=" (which "bash"))))
-                    (substitute* (append
-                                  '("qtest/bin/qtest-driver")
-                                  (find-files "." "\\.test"))
-                      (("/usr/bin/env") (which "env"))))
-                  %standard-phases)))
+    `(#:disallowed-references (,perl)
+      #:phases (alist-cons-before
+                'configure 'patch-paths
+                (lambda _
+                  (substitute* "make/libtool.mk"
+                    (("SHELL=/bin/bash")
+                     (string-append "SHELL=" (which "bash"))))
+                  (substitute* (append
+                                '("qtest/bin/qtest-driver")
+                                (find-files "." "\\.test"))
+                    (("/usr/bin/env") (which "env"))))
+                %standard-phases)))
    (native-inputs
-    `(("pkg-config" ,pkg-config)))
+    `(("pkg-config" ,pkg-config)
+      ("perl" ,perl)))
    (propagated-inputs
     `(("pcre" ,pcre)))
    (inputs
-    `(("zlib" ,zlib)
-      ("perl" ,perl)))
+    `(("zlib" ,zlib)))
    (synopsis "Command-line tools and library for transforming PDF files")
    (description
     "QPDF is a command-line program that does structural, content-preserving
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index a517581e7d..1b5ca134fe 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -86,15 +86,7 @@
                         "-Dinstallstyle=lib/perl5"
                         "-Duseshrplib"
                         (string-append "-Dlocincpth=" libc "/include")
-                        (string-append "-Dloclibpth=" libc "/lib")
-
-                        ;; Force the library search path to contain only libc
-                        ;; because it is recorded in Config.pm and
-                        ;; Config_heavy.pl; we don't want to keep a reference
-                        ;; to everything that's in $LIBRARY_PATH at build
-                        ;; time (Binutils, bzip2, file, etc.)
-                        (string-append "-Dlibpth=" libc "/lib")
-                        (string-append "-Dplibpth=" libc "/lib"))))))
+                        (string-append "-Dloclibpth=" libc "/lib"))))))
 
          (add-before
           'strip 'make-shared-objects-writable
@@ -105,7 +97,34 @@
                    (lib (string-append out "/lib")))
               (for-each (lambda (dso)
                           (chmod dso #o755))
-                        (find-files lib "\\.so$"))))))))
+                        (find-files lib "\\.so$")))))
+
+         (add-after 'install 'remove-extra-references
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out     (assoc-ref outputs "out"))
+                    (libc    (assoc-ref inputs "libc"))
+                    (config1 (car (find-files (string-append out "/lib/perl5")
+                                              "^Config_heavy\\.pl$")))
+                    (config2 (find-files (string-append out "/lib/perl5")
+                                         "^Config\\.pm$")))
+               ;; Force the library search path to contain only libc because
+               ;; it is recorded in Config.pm and Config_heavy.pl; we don't
+               ;; want to keep a reference to everything that's in
+               ;; $LIBRARY_PATH at build time (GCC, Binutils, bzip2, file,
+               ;; etc.)
+               (substitute* config1
+                 (("^incpth=.*$")
+                  (string-append "incpth='" libc "/include'\n"))
+                 (("^(libpth|plibpth|libspath)=.*$" _ variable)
+                  (string-append variable "='" libc "/lib'\n")))
+
+               (for-each (lambda (file)
+                           (substitute* config2
+                             (("libpth => .*$")
+                              (string-append "libpth => '" libc
+                                             "/lib',\n"))))
+                         config2)
+               #t))))))
     (native-search-paths (list (search-path-specification
                                 (variable "PERL5LIB")
                                 (files '("lib/perl5/site_perl")))))
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index b2d27efa46..c21a5f7eec 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -97,7 +97,7 @@
 (define-public python-2.7
   (package
     (name "python")
-    (version "2.7.10")
+    (version "2.7.11")
     (source
      (origin
       (method url-fetch)
@@ -105,56 +105,44 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "1h7zbrf9pkj29hlm18b10548ch9757f75m64l47sy75rh43p7lqw"))
-      (patches (search-patches
-                "python-2.7-search-paths.patch"
-                "python-2-deterministic-build-info.patch"
-                "python-2.7-source-date-epoch.patch"))))
+        "0iiz844riiznsyhhyy962710pz228gmhv8qi3yk4w4jhmx2lqawn"))
+      (patches (search-patches "python-2.7-search-paths.patch"
+                               "python-2-deterministic-build-info.patch"
+                               "python-2.7-source-date-epoch.patch"))
+      (modules '((guix build utils)))
+      ;; suboptimal to delete failing tests here, but if we delete them in the
+      ;; arguments then we need to make sure to strip out that phase when it
+      ;; gets inherited by python and python-minimal.
+      (snippet
+       '(begin
+          (for-each delete-file
+                    '("Lib/test/test_compileall.py"
+                      "Lib/test/test_distutils.py"
+                      "Lib/test/test_import.py"
+                      "Lib/test/test_shutil.py"
+                      "Lib/test/test_socket.py"
+                      "Lib/test/test_subprocess.py"))
+          #t))))
     (outputs '("out"
                "tk"))                     ;tkinter; adds 50 MiB to the closure
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f
-       ;; 268 tests OK.
-       ;; 103 tests failed:
-       ;;     test_distutils test_shutil test_signal test_site test_slice
-       ;;     test_smtplib test_smtpnet test_socket test_socketserver
-       ;;     test_softspace test_sort test_spwd test_sqlite test_ssl
-       ;;     test_startfile test_stat test_str test_strftime test_string
-       ;;     test_stringprep test_strop test_strptime test_strtod test_struct
-       ;;     test_structmembers test_structseq test_subprocess test_sunau
-       ;;     test_sunaudiodev test_sundry test_symtable test_syntax test_sys
-       ;;     test_sys_setprofile test_sys_settrace test_sysconfig test_tarfile
-       ;;     test_tcl test_telnetlib test_tempfile test_textwrap test_thread
-       ;;     test_threaded_import test_threadedtempfile test_threading
-       ;;     test_threading_local test_threadsignals test_time test_timeit
-       ;;     test_timeout test_tk test_tokenize test_tools test_trace
-       ;;     test_traceback test_transformer test_ttk_guionly test_ttk_textonly
-       ;;     test_tuple test_typechecks test_ucn test_unary
-       ;;     test_undocumented_details test_unicode test_unicode_file
-       ;;     test_unicodedata test_univnewlines test_univnewlines2k test_unpack
-       ;;     test_urllib test_urllib2 test_urllib2_localnet test_urllib2net
-       ;;     test_urllibnet test_urlparse test_userdict test_userlist
-       ;;     test_userstring test_uu test_uuid test_wait3 test_wait4
-       ;;     test_warnings test_wave test_weakref test_weakset test_whichdb
-       ;;     test_winreg test_winsound test_with test_wsgiref test_xdrlib
-       ;;     test_xml_etree test_xml_etree_c test_xmllib test_xmlrpc
-       ;;     test_xpickle test_xrange test_zipfile test_zipfile64
-       ;;     test_zipimport test_zipimport_support test_zlib
-       ;; 30 tests skipped:
+     `(;; 356 tests OK.
+       ;; 6 tests failed:
+       ;;     test_compileall test_distutils test_import test_shutil test_socket
+       ;;     test_subprocess
+       ;; 39 tests skipped:
        ;;     test_aepack test_al test_applesingle test_bsddb test_bsddb185
        ;;     test_bsddb3 test_cd test_cl test_codecmaps_cn test_codecmaps_hk
-       ;;     test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_crypt
-       ;;     test_curses test_dl test_gdb test_gl test_idle test_imageop
-       ;;     test_imgfile test_ioctl test_kqueue test_linuxaudiodev test_macos
-       ;;     test_macostools test_msilib test_nis test_ossaudiodev
-       ;;     test_scriptpackages
-       ;; 6 skips unexpected on linux2:
-       ;;     test_bsddb test_bsddb3 test_crypt test_gdb test_idle test_ioctl
-       ;; One of the typical errors:
-       ;; test_unicode
-       ;; test test_unicode crashed -- <type 'exceptions.OSError'>: [Errno 2] No
-       ;; such file or directory
+       ;;     test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
+       ;;     test_dl test_gdb test_gl test_imageop test_imgfile test_ioctl
+       ;;     test_kqueue test_linuxaudiodev test_macos test_macostools
+       ;;     test_msilib test_ossaudiodev test_scriptpackages test_smtpnet
+       ;;     test_socketserver test_startfile test_sunaudiodev test_timeout
+       ;;     test_tk test_ttk_guionly test_urllib2net test_urllibnet
+       ;;     test_winreg test_winsound test_zipfile64
+       ;; 4 skips unexpected on linux2:
+       ;;     test_bsddb test_bsddb3 test_gdb test_ioctl
        #:test-target "test"
        #:configure-flags
        (list "--enable-shared"                    ;allow embedding
@@ -217,6 +205,37 @@
                           (utime file circa-1980 circa-1980)
                           #t))
                #t)))
+          (add-after 'install 'remove-tests
+            ;; Remove 25 MiB of unneeded unit tests.  Keep test_support.*
+            ;; because these files are used by some libraries out there.
+            (lambda* (#:key outputs #:allow-other-keys)
+              (let ((out (assoc-ref outputs "out")))
+                (match (scandir (string-append out "/lib")
+                                (lambda (name)
+                                  (string-prefix? "python" name)))
+                  ((pythonX.Y)
+                   (let ((testdir (string-append out "/lib/" pythonX.Y
+                                                 "/test")))
+                     (with-directory-excursion testdir
+                       (for-each delete-file-recursively
+                                 (scandir testdir
+                                          (match-lambda
+                                            ((or "." "..") #f)
+                                            (file
+                                             (not
+                                              (string-prefix? "test_support."
+                                                              file))))))
+                       (call-with-output-file "__init__.py" (const #t))
+                       #t)))))))
+          (add-before 'strip 'make-libraries-writable
+            (lambda* (#:key outputs #:allow-other-keys)
+              ;; Make .so files writable so they can be stripped.
+              (let ((out (assoc-ref outputs "out")))
+                (for-each (lambda (file)
+                            (chmod file #o755))
+                          (find-files (string-append out "/lib")
+                                      "\\.so"))
+                #t)))
           (add-after 'install 'move-tk-inter
             (lambda* (#:key outputs #:allow-other-keys)
               ;; When Tkinter support is built move it to a separate output so
@@ -349,8 +368,8 @@ data types.")
                   (lambda (old new)
                     (symlink (string-append python old)
                              (string-append bin "/" new)))
-                  `("python3" ,"pydoc3" ,"idle3")
-                  `("python"  ,"pydoc"  ,"idle"))))))
+                  '("python3" "pydoc3" "idle3" "pip3" "python3-config")
+                  '("python"  "pydoc"  "idle" "pip" "python-config"))))))
     (synopsis "Wrapper for the Python 3 commands")
     (description
      "This package provides wrappers for the commands of Python@tie{}3.x such
diff --git a/gnu/packages/scheme.scm b/gnu/packages/scheme.scm
index 6baee2b309..e409dd546e 100644
--- a/gnu/packages/scheme.scm
+++ b/gnu/packages/scheme.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
-;;; Copyright © 2015 Federico Beffa <beffa@fbengineering.ch>
+;;; Copyright © 2015, 2016 Federico Beffa <beffa@fbengineering.ch>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
@@ -23,17 +23,23 @@
 
 (define-module (gnu packages scheme)
   #:use-module (gnu packages)
-  #:use-module (guix licenses)
+  #:use-module ((guix licenses)
+                #:select (gpl2+ lgpl2.0+ lgpl2.1+ asl2.0 bsd-3
+                          cc-by-sa4.0))
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix git-download)
   #:use-module (guix utils)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system trivial)
+  #:use-module (gnu packages compression)
   #:use-module (gnu packages m4)
   #:use-module (gnu packages multiprecision)
+  #:use-module (gnu packages ncurses)
   #:use-module (gnu packages databases)
   #:use-module (gnu packages emacs)
+  #:use-module (gnu packages ghostscript)
+  #:use-module (gnu packages netpbm)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages tex)
   #:use-module (gnu packages base)
@@ -548,6 +554,160 @@ an isolated heap allowing multiple VMs to run simultaneously in different OS
 threads.")
     (license bsd-3)))
 
+(define nanopass
+  (let ((version "1.9"))
+    (origin
+      (method url-fetch)
+      (uri (string-append
+            "https://github.com/nanopass/nanopass-framework-scheme/archive"
+            "/v" version ".tar.gz"))
+      (sha256 (base32 "11pwyy4jiwhcl2am3a4ciczacjbjkyvdizqzdglb3l1hj2gj6nv2"))
+      (file-name (string-append "nanopass-" version ".tar.gz")))))
+
+(define stex
+  (let ((version "1.2.1"))
+    (origin
+      (method url-fetch)
+      (uri (string-append
+            "https://github.com/dybvig/stex/archive"
+            "/v" version ".tar.gz"))
+      (sha256 (base32 "03pl3f668h24dn51vccr1sj5lsba9zq3j37bnxjvdadcdaj4qy5z"))
+      (file-name (string-append "stex-" version ".tar.gz")))))
+
+(define-public chez-scheme
+  (package
+    (name "chez-scheme")
+    (version "9.4")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/cisco/ChezScheme/archive/"
+                           "v" version ".tar.gz"))
+       (sha256
+        (base32 "0lprmpsjg2plc6ykgkz482zyvhkzv6gd0vnar71ph21h6zknyklz"))
+       (file-name (string-append "chez-scheme-" version ".tar.gz"))))
+    (build-system gnu-build-system)
+    (inputs
+     `(("ncurses" ,ncurses)
+       ("libx11" ,libx11)
+       ("xorg-rgb" ,xorg-rgb)
+       ("nanopass" ,nanopass)
+       ("zlib" ,zlib)
+       ("stex" ,stex)))
+    (native-inputs
+     `(("texlive" ,texlive)
+       ("ghostscript" ,ghostscript)
+       ("netpbm" ,netpbm)))
+    (outputs '("out" "doc"))
+    (arguments
+     `(#:modules ((guix build gnu-build-system)
+                  (guix build utils)
+                  (ice-9 match))
+       #:test-target "test"
+       #:phases
+       (modify-phases %standard-phases
+         ;; Adapt the custom 'configure' script.
+         (replace 'configure
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (nanopass (assoc-ref inputs "nanopass"))
+                   (stex (assoc-ref inputs "stex"))
+                   (zlib (assoc-ref inputs "zlib"))
+                   (unpack (assoc-ref %standard-phases 'unpack))
+                   (patch-source-shebangs
+                    (assoc-ref %standard-phases 'patch-source-shebangs)))
+               (map (match-lambda
+                      ((src orig-name new-name)
+                       (with-directory-excursion "."
+                         (apply unpack (list #:source src))
+                         (apply patch-source-shebangs (list #:source src)))
+                       (delete-file-recursively new-name)
+                       (system* "mv" orig-name new-name)))
+                    `((,nanopass "nanopass-framework-scheme-1.9" "nanopass")
+                      (,stex "stex-1.2.1" "stex")))
+               ;; The Makefile wants to download and compile "zlib".  We patch
+               ;; it to use the one from our 'zlib' package.
+               (substitute* "configure"
+                 (("rmdir zlib .*$") "echo \"using system zlib\"\n"))
+               (substitute* (find-files "./c" "Mf-[a-zA-Z0-9.]+")
+                 (("\\$\\{Kernel\\}: \\$\\{kernelobj\\} \\.\\./zlib/libz\\.a")
+                  "${Kernel}: ${kernelobj}")
+                 (("ld -melf_x86_64 -r -X -o \\$\\{Kernel\\} \\$\\{kernelobj\\} \\.\\./zlib/libz\\.a")
+                  (string-append "ld -melf_x86_64 -r -X -o ${Kernel} ${kernelobj} "
+                                 zlib "/lib/libz.a"))
+                 (("\\(cd \\.\\./zlib; CFLAGS=-m64 \\./configure --64)")
+                  (which "true"))
+                 (("(cd \\.\\./zlib; make)")
+                  (which "true")))
+               (substitute* (find-files "mats" "Mf-.*")
+                 (("^[[:space:]]+(cc ) *") "\tgcc "))
+               (substitute*
+                   (find-files "." (string-append
+                                    "("
+                                    "Mf-[a-zA-Z0-9.]+"
+                                    "|Makefile[a-zA-Z0-9.]*"
+                                    "|checkin"
+                                    "|stex\\.stex"
+                                    "|newrelease"
+                                    "|workarea"
+                                    ;;"|[a-zA-Z0-9.]+\\.ms" ; guile can't read
+                                    ")"))
+                 (("/bin/rm") (which "rm"))
+                 (("/bin/ln") (which "ln"))
+                 (("/bin/cp") (which "cp")))
+               (substitute* "makefiles/installsh"
+                 (("/bin/true") (which "true")))
+               (substitute* "stex/Makefile"
+                 (("PREFIX=/usr") (string-append "PREFIX=" out)))
+               (zero? (system* "./configure" "--threads"
+                               (string-append "--installprefix=" out))))))
+         ;; Installation of the documentation requires a running "chez".
+         (add-after 'install 'install-doc
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((bin (string-append (assoc-ref outputs "out") "/bin"))
+                   (doc (string-append (assoc-ref outputs "doc")
+                                       "/share/doc/" ,name "-" ,version)))
+               (setenv "HOME" (getcwd))
+               (setenv "PATH" (string-append (getenv "PATH") ":" bin))
+               (with-directory-excursion "stex"
+                 (system* "make" (string-append "BIN=" bin)))
+               (system* "make" "docs")
+               (with-directory-excursion "csug"
+                 (substitute* "Makefile"
+                   (("/tmp/csug9") doc)
+                   (("^m = a6le")
+                    "m := $(shell echo '(machine-type)' | scheme -q)"))
+                 (system* "make" "install")
+                 (install-file "csug.pdf" doc))
+               (with-directory-excursion "release_notes"
+                 (install-file "release_notes.pdf" doc))
+               #t)))
+         ;; The binary file name is called "scheme" as the one from MIT/GNU
+         ;; Scheme.  We add a symlink to use in case both are installed.
+         (add-after 'install 'install-symlink
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out"))
+                    (bin (string-append out "/bin"))
+                    (lib (string-append out "/lib"))
+                    (name "chez-scheme"))
+               (symlink (string-append bin "/scheme")
+                        (string-append bin "/" name))
+               (map (lambda (file)
+                      (symlink file (string-append (dirname file)
+                                                   "/" name ".boot")))
+                    (find-files lib "scheme.boot"))
+               #t))))))
+    ;; According to the documentation MIPS is not supported.
+    (supported-systems (delete "mips64el-linux" %supported-systems))
+    (home-page "http://www.scheme.com")
+    (synopsis "R6RS Scheme compiler and run-time")
+    (description
+     "Chez Scheme is a compiler and run-time system for the language of the
+Revised^6 Report on Scheme (R6RS), with numerous extensions.  The compiler
+generates native code for each target processor, with support for x86, x86_64,
+and 32-bit PowerPC architectures.")
+    (license asl2.0)))
+
 (define-public scmutils
   (let ()
     (define (system-suffix)
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 4921b10124..d645ef4bc1 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -32,14 +32,14 @@
 (define-public texinfo
   (package
     (name "texinfo")
-    (version "6.0")
+    (version "6.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1r3i6jyynn6ab45fxw5bms8mflk9ry4qpj6gqyry72vfd5c47fhi"))))
+                "1ll3d0l8izygdxqz96wfr2631kxahifwdknpgsx2090vw963js5c"))))
     (build-system gnu-build-system)
     (native-inputs `(("procps" ,procps)))  ;one of the tests needs pgrep
     (inputs `(("ncurses" ,ncurses)
@@ -62,18 +62,6 @@ their source and the command-line Info reader.  The emphasis of the language
 is on expressing the content semantically, avoiding physical markup commands.")
     (license gpl3+)))
 
-(define-public texinfo-6.1
-  (package
-    (inherit texinfo)
-    (version "6.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/texinfo/texinfo-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1ll3d0l8izygdxqz96wfr2631kxahifwdknpgsx2090vw963js5c"))))))
-
 (define-public texinfo-5
   (package (inherit texinfo)
     (version "5.2")
@@ -105,10 +93,10 @@ is on expressing the content semantically, avoiding physical markup commands.")
   ;; The idea of this package is to have the standalone Info reader without
   ;; the dependency on Perl that 'makeinfo' drags.
   (package
-    (inherit texinfo-6.1)
+    (inherit texinfo)
     (name "info-reader")
     (arguments
-     `(#:disallowed-references ,(assoc-ref (package-inputs texinfo-6.1)
+     `(#:disallowed-references ,(assoc-ref (package-inputs texinfo)
                                            "perl")
 
        #:modules ((ice-9 ftw) (srfi srfi-1)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index e543a7e3fe..d3ab981056 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -47,7 +47,7 @@
 (define-public libtasn1
   (package
     (name "libtasn1")
-    (version "4.7")
+    (version "4.8")
     (source
      (origin
       (method url-fetch)
@@ -55,7 +55,7 @@
                           version ".tar.gz"))
       (sha256
        (base32
-        "1j8iixynchziw1y39lnibyl5h81m4p78w3i4f28q2vgwjgf801x4"))))
+        "04y5m29pqmvkfdbppmsdifyx89v8xclxzklpfc7a1fkr9p4jz07s"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (home-page "http://www.gnu.org/software/libtasn1/")
@@ -65,22 +65,8 @@
 for transmitting machine-neutral encodings of data objects in computer
 networking, allowing for formal validation of data according to some
 specifications.")
-    (replacement libtasn1/fixed)
     (license license:lgpl2.0+)))
 
-(define libtasn1/fixed                            ;for CVE-2016-4008
-  (package
-    (inherit libtasn1)
-    (source
-     (let ((version "4.8"))
-       (origin
-         (method url-fetch)
-         (uri (string-append "mirror://gnu/libtasn1/libtasn1-"
-                             version ".tar.gz"))
-         (sha256
-          (base32
-           "04y5m29pqmvkfdbppmsdifyx89v8xclxzklpfc7a1fkr9p4jz07s")))))))
-
 (define-public p11-kit
   (package
     (name "p11-kit")
@@ -122,7 +108,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.4.7")
+    (version "3.5.0")
     (source (origin
              (method url-fetch)
              (uri
@@ -133,7 +119,7 @@ living in the same process.")
                              "/gnutls-" version ".tar.xz"))
              (sha256
               (base32
-               "0nifi3mr5jhz608pidkp8cjs4vwfj1m2qczsjrgpnp99615rxgn1"))))
+               "09dfb0fn4spmdja6hs2yl470fn85fx0pa5nn9njnq7j19ma3nszw"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -183,7 +169,7 @@ living in the same process.")
        ("libidn" ,libidn)
        ("nettle" ,nettle)
        ("zlib" ,zlib)))
-    (home-page "http://www.gnu.org/software/gnutls/")
+    (home-page "https://www.gnu.org/software/gnutls/")
     (synopsis "Transport layer security library")
     (description
      "GnuTLS is a secure communications library implementing the SSL, TLS
@@ -197,8 +183,7 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
-   (version "1.0.2g")
-   (replacement openssl/fixed)
+   (version "1.0.2h")
    (source (origin
              (method url-fetch)
              (uri (list (string-append "ftp://ftp.openssl.org/source/"
@@ -208,15 +193,23 @@ required structures.")
                                        "/" name "-" version ".tar.gz")))
              (sha256
               (base32
-               "0cxajjayi859czi545ddafi24m9nwsnjsw4q82zrmqvwj2rv315p"))
+               "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x"))
              (patches (search-patches "openssl-runpath.patch"
                                       "openssl-c-rehash-in.patch"))))
    (build-system gnu-build-system)
+   (outputs '("out"
+              "doc"                               ;1.5MiB of man3 pages
+              "static"))                          ;6MiB of .a files
    (native-inputs `(("perl" ,perl)))
    (arguments
-    `(#:parallel-build? #f
+    `(#:disallowed-references (,perl)
+      #:parallel-build? #f
       #:parallel-tests? #f
       #:test-target "test"
+
+      ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+      ;; so we explicitly disallow it here.
+      #:disallowed-references ,(list (canonical-package perl))
       #:phases
       (modify-phases %standard-phases
         (add-before
@@ -263,6 +256,33 @@ required structures.")
                        (find-files (string-append out "/lib")
                                    "\\.so"))
              #t)))
+        (add-after 'install 'move-static-libraries
+          (lambda* (#:key outputs #:allow-other-keys)
+            ;; Move static libraries to the "static" output.
+            (let* ((out    (assoc-ref outputs "out"))
+                   (lib    (string-append out "/lib"))
+                   (static (assoc-ref outputs "static"))
+                   (slib   (string-append static "/lib")))
+              (mkdir-p slib)
+              (for-each (lambda (file)
+                          (install-file file slib)
+                          (delete-file file))
+                        (find-files lib "\\.a$"))
+              #t)))
+        (add-after 'install 'move-man3-pages
+          (lambda* (#:key outputs #:allow-other-keys)
+            ;; Move section 3 man pages to "doc".
+            (let* ((out    (assoc-ref outputs "out"))
+                   (man3   (string-append out "/share/man/man3"))
+                   (doc    (assoc-ref outputs "doc"))
+                   (target (string-append doc "/share/man/man3")))
+              (mkdir-p target)
+              (for-each (lambda (file)
+                          (rename-file file
+                                       (string-append target "/"
+                                                      (basename file))))
+                        (find-files man3))
+              #t)))
         (add-before
          'patch-source-shebangs 'patch-tests
          (lambda* (#:key inputs native-inputs #:allow-other-keys)
@@ -299,25 +319,6 @@ required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
-(define openssl/fixed
-  (package
-    (inherit openssl)
-    (source
-     (let ((name "openssl")
-           (version "1.0.2h"))
-       (origin
-         (method url-fetch)
-         (uri (list (string-append "ftp://ftp.openssl.org/source/"
-                                   name "-" version ".tar.gz")
-                    (string-append "ftp://ftp.openssl.org/source/old/"
-                                   (string-trim-right version char-set:letter)
-                                   "/" name "-" version ".tar.gz")))
-         (sha256
-          (base32
-           "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x"))
-         (patches (search-patches "openssl-runpath.patch"
-                                  "openssl-c-rehash-in.patch")))))))
-
 (define-public libressl
   (package
     (name "libressl")
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index eee04faec0..ecdf4c35e6 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -323,7 +323,7 @@ SMPTE 314M.")
 (define-public libva
   (package
     (name "libva")
-    (version "1.6.1")
+    (version "1.7.0")
     (source
      (origin
        (method url-fetch)
@@ -331,7 +331,7 @@ SMPTE 314M.")
              "https://www.freedesktop.org/software/vaapi/releases/libva/libva-"
              version".tar.bz2"))
        (sha256
-        (base32 "0bjfb5s8dk3lql843l91ffxzlq47isqks5sj19cxh7j3nhzw58kz"))))
+        (base32 "0py9igf4kicj7ji22bjawkpd6my013qpg0s4ir2np9l1rk5vr2d6"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -362,7 +362,7 @@ SMPTE 314M.")
        #:make-flags
        (list (string-append "dummy_drv_video_ladir="
                             (assoc-ref %outputs "out") "/lib/dri"))))
-    (home-page "http://www.freedesktop.org/wiki/Software/vaapi/")
+    (home-page "https://www.freedesktop.org/wiki/Software/vaapi/")
     (synopsis "Video acceleration library")
     (description "The main motivation for VA-API (Video Acceleration API) is
 to enable hardware accelerated video decode/encode at various
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 1ece2e164b..bfcba473a8 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -261,7 +261,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.65")
+    (version "2.4.67")
     (source
       (origin
         (method url-fetch)
@@ -271,7 +271,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1i4n7mz49l0j4kr0dg9n1j3hlc786ncqgj0v5fci1mz7pp40m5ki"))
+            "1gnf206zs8dwszvkv4z2hbvh23045z0q29kms127bqrv27hp2nzf"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (inputs
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index e62bfa7e54..e0d795b62f 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -4,9 +4,10 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
+;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -46,16 +47,17 @@
 (define-public expat
   (package
     (name "expat")
-    (replacement expat/fixed)
-    (version "2.1.0")
+    (version "2.1.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
-                                 version "/expat-" version ".tar.gz"))
+                                 version "/expat-" version ".tar.bz2"))
+             (patches (search-patches "expat-CVE-2012-6702-and-CVE-2016-5300.patch"
+                                      "expat-CVE-2015-1283-refix.patch"
+                                      "expat-CVE-2016-0718.patch"))
              (sha256
               (base32
-               "11pblz61zyxh68s5pdcbhc30ha1b2vfjd83aiwfg4vc15x3hadw2"))
-             (patches (search-patches "expat-CVE-2015-1283.patch"))))
+               "0ryyjgvy7jq0qb7a9mhc1giy3bzn56aiwrs8dpydqngplbjq9xdg"))))
     (build-system gnu-build-system)
     (home-page "http://www.libexpat.org/")
     (synopsis "Stream-oriented XML parser library written in C")
@@ -65,28 +67,17 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
-(define expat/fixed
-  (package
-    (inherit expat)
-    (source (origin
-              (inherit (package-source expat))
-              (patches (search-patches "expat-CVE-2012-6702-and-CVE-2016-5300.patch"
-                                       "expat-CVE-2015-1283.patch"
-                                       "expat-CVE-2015-1283-refix.patch"
-                                       "expat-CVE-2016-0718.patch"))))))
-
 (define-public libxml2
   (package
     (name "libxml2")
-    (version "2.9.3")
-    (replacement libxml2/fixed)                   ;multiple CVEs
+    (version "2.9.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
                                  version ".tar.gz"))
              (sha256
               (base32
-               "0bd17g6znn2r98gzpjppsqjg33iraky4px923j3k8kdl8qgy7sad"))))
+               "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))
     (build-system gnu-build-system)
     (home-page "http://www.xmlsoft.org/")
     (synopsis "C parser for XML")
@@ -106,20 +97,6 @@ things the parser might find in the XML document (like start tags).")
 project (but it is usable outside of the Gnome platform).")
     (license license:x11)))
 
-(define libxml2/fixed
-  (package
-    (inherit libxml2)
-    (source
-     (let ((name "libxml2")
-           (version "2.9.4"))
-       (origin
-         (method url-fetch)
-         (uri (string-append "ftp://xmlsoft.org/libxml2/libxml2-"
-                             version ".tar.gz"))
-         (sha256
-          (base32
-           "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")))))))
-
 (define-public python-libxml2
   (package (inherit libxml2)
     (name "python-libxml2")
@@ -161,7 +138,9 @@ project (but it is usable outside of the Gnome platform).")
              (sha256
               (base32
                "13029baw9kkyjgr7q3jccw2mz38amq7mmpr5p3bh775qawd1bisz"))
-             (patches (search-patches "libxslt-CVE-2015-7995.patch"))))
+             (patches (search-patches "libxslt-generated-ids.patch"
+                                      "libxslt-remove-date-timestamps.patch"
+                                      "libxslt-CVE-2015-7995.patch"))))
     (build-system gnu-build-system)
     (home-page "http://xmlsoft.org/XSLT/index.html")
     (synopsis "C library for applying XSLT stylesheets to XML documents")
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 46f0f6ec99..ad81f975dc 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -4281,7 +4281,30 @@ Various information is displayed depending on which options are selected.")
 formatted dump file, such as produced by xwd.")
     (license license:x11)))
 
-
+(define-public xorg-rgb
+  (package
+    (name "xorg-rgb")
+    (version "1.0.6")
+    (source
+      (origin
+        (method url-fetch)
+        (uri (string-append
+               "mirror://xorg/individual/app/rgb-"
+               version
+               ".tar.bz2"))
+        (sha256
+          (base32
+            "1c76zcjs39ljil6f6jpx1x17c8fnvwazz7zvl3vbjfcrlmm7rjmv"))))
+    (build-system gnu-build-system)
+    (inputs
+     `(("xproto" ,xproto)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)))
+    (home-page "http://www.x.org/wiki/")
+    (synopsis "X color name database")
+    (description
+     "This package provides the X color name database.")
+    (license license:x11)))
 
 ;; packages of height 1 in the propagated-inputs tree
 
diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm
index b8837c63f0..f09e8c24f2 100644
--- a/gnu/system/shadow.scm
+++ b/gnu/system/shadow.scm
@@ -132,12 +132,6 @@
 (define (default-skeletons)
   "Return the default skeleton files for /etc/skel.  These files are copied by
 'useradd' in the home directory of newly created user accounts."
-  (define fonts.conf-content
-    ;; SXML for ~/.config/fontconfig/fonts.conf.  This works around the fact
-    ;; that Fontconfig currently does not such this directory by default,
-    ;; thereby ignoring fonts installed system-wide (FIXME).
-    `(fontconfig (dir "/run/current-system/profile/share/fonts")))
-
   (define copy-guile-wm
     #~(begin
         (use-modules (guix build utils))
@@ -181,22 +175,6 @@ source /etc/profile\n"))
         (xdefaults (plain-file "Xdefaults" "\
 XTerm*utf8: always
 XTerm*metaSendsEscape: true\n"))
-        (fonts.conf (computed-file
-                     "fonts.conf"
-                     #~(begin
-                         (use-modules (guix build utils)
-                                      (sxml simple))
-
-                         (define dir
-                           (string-append #$output
-                                          "/fontconfig"))
-
-                         (mkdir-p dir)
-                         (call-with-output-file (string-append dir
-                                                             "/fonts.conf")
-                           (lambda (port)
-                             (sxml->xml '#$fonts.conf-content port))))
-                     #:modules '((guix build utils))))
         (gdbinit   (plain-file "gdbinit" "\
 # Tell GDB where to look for separate debugging files.
 set debug-file-directory ~/.guix-profile/lib/debug\n")))
@@ -205,7 +183,6 @@ set debug-file-directory ~/.guix-profile/lib/debug\n")))
       (".zlogin" ,zlogin)
       (".Xdefaults" ,xdefaults)
       (".guile-wm" ,guile-wm)
-      (".config" ,fonts.conf)
       (".gdbinit" ,gdbinit))))
 
 (define (skeleton-directory skeletons)