summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk10
-rw-r--r--gnu/packages/algebra.scm4
-rw-r--r--gnu/packages/audio.scm4
-rw-r--r--gnu/packages/backup.scm12
-rw-r--r--gnu/packages/bioinformatics.scm4
-rw-r--r--gnu/packages/databases.scm4
-rw-r--r--gnu/packages/emacs.scm26
-rw-r--r--gnu/packages/fontutils.scm5
-rw-r--r--gnu/packages/gd.scm3
-rw-r--r--gnu/packages/haskell.scm552
-rw-r--r--gnu/packages/julia.scm142
-rw-r--r--gnu/packages/libreoffice.scm4
-rw-r--r--gnu/packages/linux.scm12
-rw-r--r--gnu/packages/password-utils.scm11
-rw-r--r--gnu/packages/patches/gd-CVE-2016-7568.patch44
-rw-r--r--gnu/packages/patches/libarchive-7zip-heap-overflow.patch77
-rw-r--r--gnu/packages/patches/libarchive-fix-filesystem-attacks.patch445
-rw-r--r--gnu/packages/patches/libarchive-fix-symlink-check.patch60
-rw-r--r--gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch44
-rw-r--r--gnu/packages/patches/quickswitch-fix-dmenu-check.patch32
-rw-r--r--gnu/packages/shells.scm12
-rw-r--r--gnu/packages/statistics.scm61
-rw-r--r--gnu/packages/textutils.scm6
-rw-r--r--gnu/packages/tmux.scm4
-rw-r--r--gnu/packages/video.scm4
-rw-r--r--gnu/packages/wm.scm89
-rw-r--r--gnu/services/admin.scm119
-rw-r--r--gnu/services/nfs.scm4
-rw-r--r--gnu/services/ssh.scm51
-rw-r--r--gnu/tests/ssh.scm193
30 files changed, 1626 insertions, 412 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 7c44196e0d..d74081b673 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -386,6 +386,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/zip.scm				\
 						\
   %D%/services.scm				\
+  %D%/services/admin.scm			\
   %D%/services/avahi.scm			\
   %D%/services/base.scm				\
   %D%/services/databases.scm			\
@@ -430,7 +431,8 @@ GNU_SYSTEM_MODULES =				\
 						\
   %D%/tests.scm					\
   %D%/tests/base.scm				\
-  %D%/tests/install.scm
+  %D%/tests/install.scm				\
+  %D%/tests/ssh.scm
 
 
 patchdir = $(guilemoduledir)/%D%/packages/patches
@@ -528,6 +530,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
+  %D%/packages/patches/gd-CVE-2016-7568.patch			\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
@@ -620,6 +623,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-link-with-libm.patch		\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
+  %D%/packages/patches/libarchive-7zip-heap-overflow.patch	\
+  %D%/packages/patches/libarchive-fix-symlink-check.patch	\
+  %D%/packages/patches/libarchive-fix-filesystem-attacks.patch	\
+  %D%/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch	\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcmis-fix-test-onedrive.patch		\
@@ -781,6 +788,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-paste-remove-timing-test.patch	\
   %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
   %D%/packages/patches/qt4-ldflags.patch			\
+  %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
   %D%/packages/patches/rapicorn-isnan.patch			\
   %D%/packages/patches/ratpoison-shell.patch			\
   %D%/packages/patches/readline-link-ncurses.patch		\
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm
index 016f52db19..32f23597ae 100644
--- a/gnu/packages/algebra.scm
+++ b/gnu/packages/algebra.scm
@@ -593,14 +593,14 @@ cosine/ sine transforms or DCT/DST).")
 (define-public eigen
   (package
     (name "eigen")
-    (version "3.2.8")
+    (version "3.2.9")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://bitbucket.org/eigen/eigen/get/"
                                   version ".tar.bz2"))
               (sha256
                (base32
-                "0mby6my1djsg8681fcvlaq0i4kd17fja9qn5f713j3xpfbb66akj"))
+                "1zs5b210mq7nyanky07li6456rrd0xv2nxf6sl2lhkzdq5p067jd"))
               (file-name (string-append name "-" version ".tar.bz2"))
               (modules '((guix build utils)))
               (snippet
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 39ecc52d8b..192fb0e231 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -877,7 +877,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
 (define-public guitarix
   (package
     (name "guitarix")
-    (version "0.35.0")
+    (version "0.35.1")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -885,7 +885,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
                    version ".tar.xz"))
              (sha256
               (base32
-               "10hijqrrl8xil46kgsac10ysfxysisxlibm2rz133zyig5n63jdw"))))
+               "066qva1zk63qw60s0vbi9g9jh22ljw67p91pk82kv11gw24h3vg6"))))
     (build-system waf-build-system)
     (arguments
      `(#:tests? #f ; no "check" target
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index c6f1321d77..797c06e149 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -172,6 +172,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.2.1")
     (source
      (origin
@@ -227,6 +228,17 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
+(define libarchive/fixed
+  (package
+    (inherit libarchive)
+    (source (origin
+              (inherit (package-source libarchive))
+              (patches (search-patches
+                         "libarchive-7zip-heap-overflow.patch"
+                         "libarchive-fix-symlink-check.patch"
+                         "libarchive-fix-filesystem-attacks.patch"
+                         "libarchive-safe_fprintf-buffer-overflow.patch"))))))
+
 (define-public rdup
   (package
     (name "rdup")
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 3cf1ffcd1f..cf20057bcd 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -5571,7 +5571,7 @@ track.  The database is exposed as a @code{TxDb} object.")
 (define-public vsearch
   (package
     (name "vsearch")
-    (version "2.1.1")
+    (version "2.1.2")
     (source
      (origin
        (method url-fetch)
@@ -5581,7 +5581,7 @@ track.  The database is exposed as a @code{TxDb} object.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0rn40inkpgv0j1r1j9kmgjkb7nc8v5c9ijvbhzr17iayannxvlq9"))
+         "1zzfj6ydsfzljyswlwqknpp8s2cf31vimi1aqf9ljsbagjyizc58"))
        (modules '((guix build utils)))
        (snippet
         '(begin
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 4eface899e..8970ea1c03 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -779,7 +779,7 @@ columns, primary keys, unique constraints and relationships.")
 (define-public perl-dbd-mysql
   (package
     (name "perl-dbd-mysql")
-    (version "4.035")
+    (version "4.037")
     (source
      (origin
        (method url-fetch)
@@ -787,7 +787,7 @@ columns, primary keys, unique constraints and relationships.")
                            "DBD-mysql-" version ".tar.gz"))
        (sha256
         (base32
-         "0dqrnrk8yjl06xl8hld5wyalk77z0h9j5h1gdk4z9g0nx9js7v5p"))))
+         "1z1wxnzhxfr9awjqb1d8pz9hf50shbk9ip2jmsmgdlwfyb78lmyz"))))
     (build-system perl-build-system)
     ;; Tests require running MySQL server
     (arguments `(#:tests? #f))
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index df9f4496fb..4a20f0c1a5 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -12,7 +12,7 @@
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
 ;;; Copyright © 2016 Matthew Jordan <matthewjordandevops@yandex.com>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
-;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016 ng0 <ngillmann@runbox.com>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Alex Vong <alexvong1995@gmail.com>
@@ -2231,6 +2231,30 @@ perspective only its buffers are available by default.")
     ;; the Expat license.
     (license license:gpl3+)))
 
+(define-public emacs-rudel
+  (package
+    (name "emacs-rudel")
+    (version "0.3.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://elpa.gnu.org/packages/rudel-"
+                           version ".tar"))
+       (sha256
+        (base32
+         "0glqa68g509p0s2vcc0i8kzlddnc9brd9jqhnm5rzxz4i050cvnz"))))
+    (build-system emacs-build-system)
+    (home-page "http://rudel.sourceforge.net/")
+    (synopsis "Collaborative editing framework")
+    (description
+     "Rudel is a collaborative editing environment for GNU Emacs.  Its purpose
+is to share buffers with other users in order to edit the contents of those
+buffers collaboratively.  Rudel supports multiple backends to enable
+communication with other collaborative editors using different protocols,
+though currently Obby (for use with the Gobby editor) is the only
+fully-functional one.")
+    (license license:gpl3+)))
+
 (define-public emacs-hydra
   (package
     (name "emacs-hydra")
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index e4ad1cd8ce..5054df8fca 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -426,9 +426,8 @@ resolution.")
     (version "0.9.13")
     (source (origin
               (method url-fetch)
-              (uri (string-append
-                    "mirror://savannah/releases/m17n/libotf-"
-                    version ".tar.gz"))
+              (uri (string-append "mirror://savannah/m17n/libotf-"
+                                  version ".tar.gz"))
               (sha256
                (base32 "0239zvfan56w7vrppriwy77fzb10ag9llaz15nsraps2a2x6di3v"))))
     (build-system gnu-build-system)
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 4ba019460f..6c94d35bdf 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -50,7 +50,8 @@
              (sha256
               (base32
                "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))
-             (patches (search-patches "gd-fix-gd2-read-test.patch"
+             (patches (search-patches "gd-CVE-2016-7568.patch"
+                                      "gd-fix-gd2-read-test.patch"
                                       "gd-fix-tests-on-i686.patch"))))
     (build-system gnu-build-system)
     (native-inputs
diff --git a/gnu/packages/haskell.scm b/gnu/packages/haskell.scm
index 3bd3e1476d..cf17c4f3d8 100644
--- a/gnu/packages/haskell.scm
+++ b/gnu/packages/haskell.scm
@@ -342,7 +342,7 @@ reduce @code{UndecidableInstances}.")
        (sha256
         (base32 "0d1hm0l9kim3kszshr4msmgzizrzha48gz2kb7b61p7n3gs70m7c"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-data-default-class"
         ,ghc-data-default-class)
        ("ghc-data-default-instances-base"
@@ -394,7 +394,7 @@ packages.")
        (sha256
         (base32 "1832nq6by91f1iw73ycvkbgn8kpra83pvf2q61hy47xffh0zy4pb"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-data-default-class" ,ghc-data-default-class)))
     (home-page "https://hackage.haskell.org/package/data-default-instances-base")
     (synopsis "Default instances for types in base")
@@ -417,7 +417,7 @@ package.")
        (sha256
         (base32 "06h8xka031w752a7cjlzghvr8adqbl95xj9z5zc1b62w02phfpm5"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-data-default-class" ,ghc-data-default-class)))
     (home-page "https://hackage.haskell.org/package/data-default-instances-containers")
     (synopsis "Default instances for types in containers")
@@ -439,7 +439,7 @@ package.")
        (sha256
         (base32 "0narkdqiprhgayjiawrr4390h4rq4pl2pb6mvixbv2phrc8kfs3x"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-data-default-class" ,ghc-data-default-class)
        ("ghc-dlist" ,ghc-dlist)))
     (home-page "https://hackage.haskell.org/package/data-default-instances-dlist")
@@ -467,6 +467,8 @@ package.")
      `(("ghc-base-compat" ,ghc-base-compat)
        ("ghc-hspec" ,ghc-hspec)
        ("ghc-quickcheck" ,ghc-quickcheck)))
+    (native-inputs
+     `(("hspec-discover" ,hspec-discover)))
     (home-page "http://www.haskell.org/haddock/")
     (synopsis
      "Library exposing some functionality of Haddock")
@@ -493,7 +495,7 @@ the ‘haddock’ package.")
         (base32
          "1spd5axg1pdjv4dkdb5gcwjsc8gg37qi4mr2k2db6ayywdkis1p2"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-paths" ,ghc-paths)
        ("ghc-haddock-library" ,ghc-haddock-library)))
     (home-page "http://www.haskell.org/haddock/")
@@ -774,7 +776,7 @@ postfix notation.  For more information on stack based languages, see
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ;; cannot satisfy -package mtl.  Possible Cabal
                                ;; issue.
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)))
     (home-page "https://hackage.haskell.org/package/happy")
     (synopsis "Parser generator for Haskell")
@@ -798,7 +800,7 @@ Happy works in a similar way to the yacc tool for C.")
         (base32
          "1h8gjw5g92rvvzadqzpscg73x7ajvs1wlphrh27afim3scdd8frz"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("cpphs" ,cpphs)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-happy" ,ghc-happy)
@@ -861,14 +863,14 @@ unwanted suggestions, and to add your own custom suggestions.")
         (base32
          "0zhsaaa4n8ry76vjih519a8npm2hrzk10d5asrgllcwpzmifl41y"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-transformers-base" ,ghc-transformers-base)
        ("ghc-monad-control" ,ghc-monad-control)
        ("ghc-transformers-compat" ,ghc-transformers-compat)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-mmorph" ,ghc-mmorph)
        ("ghc-exceptions" ,ghc-exceptions)))
-    (inputs
+    (native-inputs
      `(("ghc-lifted-base" ,ghc-lifted-base)
        ("ghc-hspec" ,ghc-hspec)))
     (home-page "https://github.com/snoyberg/conduit")
@@ -892,12 +894,12 @@ code where you can safely allocate resources.")
         (base32
          "1j2qrn2dbfx01m7zyk9ilgnp9zjwq9mk62b0rdal4zkg4vh212h0"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-tagsoup" ,ghc-tagsoup)
        ("ghc-utf8-string" ,ghc-utf8-string)
        ("ghc-css-text" ,ghc-css-text)
        ("ghc-network-uri" ,ghc-network-uri)))
-    (inputs
+    (native-inputs
      `(("ghc-text" ,ghc-text)
        ("ghc-attoparsec" ,ghc-attoparsec)
        ("ghc-hspec" ,ghc-hspec)
@@ -978,10 +980,9 @@ award winning Linux port of \"Civilization: Call To Power.\"")
        (let* ((sdl-mixer (assoc-ref %build-inputs "sdl-mixer"))
               (sdl-mixer-include (string-append sdl-mixer "/include/SDL")))
          (list (string-append "--extra-include-dirs=" sdl-mixer-include)))))
-    (propagated-inputs
-     `(("ghc-sdl" ,ghc-sdl)))
     (inputs
-     `(("sdl-mixer" ,sdl-mixer)))
+     `(("ghc-sdl" ,ghc-sdl)
+       ("sdl-mixer" ,sdl-mixer)))
     (home-page "https://hackage.haskell.org/package/SDL-mixer")
     (synopsis "Haskell bindings to libSDL_mixer")
     (description "SDL_mixer is a sample multi-channel audio mixer library.  It
@@ -1010,10 +1011,9 @@ MIDI, Ogg Vorbis, and SMPEG MP3 libraries.")
        (let* ((sdl-image (assoc-ref %build-inputs "sdl-image"))
               (sdl-image-include (string-append sdl-image "/include/SDL")))
          (list (string-append "--extra-include-dirs=" sdl-image-include)))))
-    (propagated-inputs
-     `(("ghc-sdl" ,ghc-sdl)))
     (inputs
-     `(("sdl-image" ,sdl-image)))
+     `(("ghc-sdl" ,ghc-sdl)
+       ("sdl-image" ,sdl-image)))
     (home-page "https://hackage.haskell.org/package/SDL-image")
     (synopsis "Haskell bindings to libSDL_image")
     (description "SDL_image is an image file loading library.  It loads images
@@ -1089,12 +1089,11 @@ found at runtime, a userError is thrown.")
         (base32
          "1qfilpc10jm47anan44c20y8mh76f2dv09m5d22gk0f7am7hg4k2"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-statevar" ,ghc-statevar)
+       ("ghc-opengl" ,ghc-opengl)
        ("ghc-openglraw" ,ghc-openglraw)
        ("freeglut" ,freeglut)))
-    (inputs
-     `(("ghc-opengl" ,ghc-opengl)))
     (home-page "http://www.haskell.org/haskellwiki/Opengl")
     (synopsis "Haskell bindings for the OpenGL Utility Toolkit")
     (description "This library provides Haskell bindings for the OpenGL
@@ -1117,7 +1116,7 @@ programs.")
         (base32
          "0gscd9lhp9mb10q8s716nx26m8qng9xbb4h6b3f48zzgkc1sy96x"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-openglraw" ,ghc-openglraw)))
     (home-page "http://www.haskell.org/haskellwiki/Opengl")
     (synopsis "Raw Haskell bindings GLU")
@@ -1141,7 +1140,7 @@ basis for a nicer interface.")
         (base32
          "1mcfb167jl75qc2hgylh83vf2jqizvyvkvhhb72adi2crc3zqz4b"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)
        ("ghc-objectname" ,ghc-objectname)
        ("ghc-gluraw" ,ghc-gluraw)
@@ -1169,17 +1168,19 @@ version 1.3).")
         (base32
          "12nw9bwvy6zrabkgvbp371klca3ds6qjlfncg1b8pbwx1y7m8c8h"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-random" ,ghc-random)))
     (inputs
-     `(("ghc-quickcheck" ,ghc-quickcheck)
-       ("ghc-async" ,ghc-async)
-       ("ghc-blaze-builder" ,ghc-blaze-builder)
-       ("ghc-hspec" ,ghc-hspec)
+     `(("ghc-blaze-builder" ,ghc-blaze-builder)
+       ("ghc-directory" ,ghc-directory)
+       ("ghc-network" ,ghc-network)
+       ("ghc-random" ,ghc-random)
        ("ghc-stm" ,ghc-stm)
        ("ghc-text" ,ghc-text)
-       ("ghc-network" ,ghc-network)
+       ("ghc-transformers" ,ghc-transformers)
        ("ghc-zlib" ,ghc-zlib)))
+    (native-inputs
+     `(("ghc-quickcheck" ,ghc-quickcheck)
+       ("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://hackage.haskell.org/package/streaming-commons")
     (synopsis "Conduit and pipes needed by some streaming data libraries")
     (description "Provides low-dependency functionality commonly needed by
@@ -1201,7 +1202,7 @@ various Haskell streaming data libraries, such as @code{conduit} and
         (base32
          "1njpmxgpah5pcqppcl1cxb5xicf6xlqrd162qm12khp9hainlm72"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-polyparse" ,ghc-polyparse)
        ("ghc-old-locale" ,ghc-old-locale)
        ("ghc-old-time" ,ghc-old-time)))
@@ -1276,7 +1277,7 @@ date and time formats.")
         (base32
          "1h9b26s3kfh2k0ih4383w90ibji6n0iwamxp6rfp2lbq1y5ibjqw"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-old-locale" ,ghc-old-locale)))
     (home-page "https://hackage.haskell.org/package/old-time")
     (synopsis "Time compatibility library for Haskell")
@@ -1299,7 +1300,7 @@ old @code{time} library.  For new projects, the newer
         (sha256
           (base32 "00h81i5phib741yj517p8mbnc48myvfj8axzsw44k34m48lv1lv0"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-data-default-class" ,ghc-data-default-class)
        ("ghc-old-locale" ,ghc-old-locale)))
     (home-page
@@ -1368,7 +1369,7 @@ versions of GHC (i.e., < 6.10).")
        (base32 "1d5h7h2wjwc2s3dvsvzjgmmfrfl2312ym2h6kyjgm9wnaqw9w8wx"))))
    (arguments `(#:tests? #f)) ; FIXME: testing libraries are missing.
    (build-system haskell-build-system)
-   (propagated-inputs
+   (inputs
     `(("ghc-http" ,ghc-http)
       ("ghc-mtl" ,ghc-mtl)
       ("ghc-network-uri" ,ghc-network-uri)
@@ -1492,9 +1493,8 @@ environment variables.")
      `(("libx11" ,libx11)
        ("libxrandr" ,libxrandr)
        ("libxinerama" ,libxinerama)
-       ("libxscrnsaver" ,libxscrnsaver)))
-    (propagated-inputs
-     `(("ghc-data-default" ,ghc-data-default)))
+       ("libxscrnsaver" ,libxscrnsaver)
+       ("ghc-data-default" ,ghc-data-default)))
     (home-page "https://github.com/haskell-pkg-janitors/X11")
     (synopsis "Bindings to the X11 graphics library")
     (description
@@ -1513,11 +1513,10 @@ bindings are a direct translation of the C bindings.")
                            "X11-xft-" version ".tar.gz"))
        (sha256
         (base32 "1lgqb0s2qfwwgbvwxhjbi23rbwamzdi0l0slfr20c3jpcbp3zfjf"))))
-    (propagated-inputs
-     `(("ghc-x11" ,ghc-x11)
-       ("ghc-utf8-string" ,ghc-utf8-string)))
     (inputs
-     `(("libx11" ,libx11)
+     `(("ghc-x11" ,ghc-x11)
+       ("ghc-utf8-string" ,ghc-utf8-string)
+       ("libx11" ,libx11)
        ("libxft" ,libxft)
        ("xproto" ,xproto)))
     (native-inputs
@@ -1674,8 +1673,7 @@ in terms of large data quantities and high speed.")
     (build-system haskell-build-system)
     (arguments
      `(#:tests? #f)) ; FIXME: currently missing libraries used for tests.
-    ;; these inputs are necessary to use this library
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)))
     (home-page "https://github.com/tibbe/hashable")
     (synopsis
@@ -1767,18 +1765,18 @@ library, including the ability to split random number generators.")
         (base32
          "0wxjgdvb1c4ykazw774zlx86550848wbsvgjgcrdzcgbb9m650vq"))))
     (build-system haskell-build-system)
-    (inputs
+    (native-inputs
      `(("ghc-hunit" ,ghc-hunit)
-       ("ghc-libxml" ,ghc-libxml)
        ("ghc-quickcheck" ,ghc-quickcheck)))
-    (propagated-inputs
+    (inputs
      `(("ghc-ansi-terminal" ,ghc-ansi-terminal)
        ("ghc-ansi-wl-pprint" ,ghc-ansi-wl-pprint)
        ("ghc-hostname" ,ghc-hostname)
        ("ghc-old-locale" ,ghc-old-locale)
        ("ghc-random" ,ghc-random)
        ("ghc-regex-posix" ,ghc-regex-posix)
-       ("ghc-xml" ,ghc-xml)))
+       ("ghc-xml" ,ghc-xml)
+       ("ghc-libxml" ,ghc-libxml)))
     (home-page "https://batterseapower.github.io/test-framework/")
     (synopsis "Framework for running and organising tests")
     (description
@@ -1803,7 +1801,7 @@ reporting and test statistics output.")
         (base32
          "1h0h55kf6ff25nbfx1mhliwyknc0glwv3zi78wpzllbjbs7gvyfk"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-extensible-exceptions" ,ghc-extensible-exceptions)
        ("ghc-hunit" ,ghc-hunit)
        ("ghc-test-framework" ,ghc-test-framework)))
@@ -1834,7 +1832,7 @@ reporting and test statistics output.")
         '(substitute* "test-framework-quickcheck2.cabal"
            (("QuickCheck >= 2.4 && < 2.8") "QuickCheck >= 2.4 && < 2.9")))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-extensible-exceptions" ,ghc-extensible-exceptions)
        ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-random" ,ghc-random)
@@ -1861,8 +1859,7 @@ package.")
        (sha256
         (base32 "0445r2nns6009fmq0xbfpyv7jpzwv0snccjdg7hwj4xk4z0cwc1f"))))
     (build-system haskell-build-system)
-    ;; these inputs are necessary to use this package
-    (propagated-inputs
+    (inputs
      `(("ghc-primitive" ,ghc-primitive)
        ("ghc-random" ,ghc-random)))
     (home-page "https://hackage.haskell.org/package/tf-random")
@@ -1889,10 +1886,9 @@ Hashing\" by Claessen, Pałka for details and the rationale of the design.")
         (base32
          "11r3slgpgpra6zi2kjg3g60gvv17b1fh6qxipcpk8n86qx7lk8va"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-stm" ,ghc-stm)))
     (inputs
-     `(("ghc-transformers-compat" ,ghc-transformers-compat)))
+     `(("ghc-stm" ,ghc-stm)
+       ("ghc-transformers-compat" ,ghc-transformers-compat)))
     (home-page
      "https://hackage.haskell.org/package/transformers-compat")
     (synopsis
@@ -1943,7 +1939,7 @@ but also need those types.")
     (arguments
      `(#:tests? #f)) ; FIXME: Test fails with "System.Time not found".  This
                      ; is weird, that should be provided by GHC 7.10.2.
-    (propagated-inputs
+    (inputs
      `(("ghc-old-time" ,ghc-old-time)
        ("ghc-old-locale" ,ghc-old-locale)))
     (home-page "https://hackage.haskell.org/package/unix-time")
@@ -1994,11 +1990,10 @@ isn't available, portable implementations are used.")
     (arguments `(#:tests? #f)) ; FIXME: Tests cannot find
                                ; Blaze.Bytestring.Builder, which should be
                                ; provided by ghc-blaze-builder.
-    (propagated-inputs
-     `(("ghc-case-insensitive" ,ghc-case-insensitive)
-       ("ghc-blaze-builder" ,ghc-blaze-builder)))
     (inputs
-     `(("ghc-text" ,ghc-text)))
+     `(("ghc-case-insensitive" ,ghc-case-insensitive)
+       ("ghc-blaze-builder" ,ghc-blaze-builder)
+       ("ghc-text" ,ghc-text)))
     (home-page "https://github.com/aristidb/http-types")
     (synopsis "Generic HTTP types for Haskell")
     (description "This package provides generic HTTP types for Haskell (for
@@ -2047,11 +2042,10 @@ lines continued at an indented level below.")
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: Tests cannot find System.ByteOrder,
                                ; exported by ghc-byteorder.  Doctest issue.
-    (propagated-inputs
-     `(("ghc-appar" ,ghc-appar)
-       ("ghc-byteorder" ,ghc-byteorder)))
     (inputs
-     `(("ghc-network" ,ghc-network)
+     `(("ghc-appar" ,ghc-appar)
+       ("ghc-byteorder" ,ghc-byteorder)
+       ("ghc-network" ,ghc-network)
        ("ghc-safe" ,ghc-safe)))
     (home-page "http://www.mew.org/~kazu/proj/iproute/")
     (synopsis "IP routing table")
@@ -2075,7 +2069,7 @@ removed.  Both IPv4 and IPv6 are supported.")
         (base32
          "0y1j4h2pg12c853nzmczs263di7xkkmlnsq5dlp5wgbgl49mgp10"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)))
     (home-page
      "http://sourceforge.net/projects/lazy-regex")
@@ -2099,7 +2093,7 @@ regex-posix, regex-pcre, regex-parsec, regex-tdfa, regex-dfa.")
         (base32
          "0gkhzhj8nvfn1ija31c7xnl6p0gadwii9ihyp219ck2arlhrj0an"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-regex-base" ,ghc-regex-base)))
     (home-page "http://sourceforge.net/projects/lazy-regex")
     (synopsis "POSIX regular expressions for Haskell")
@@ -2146,11 +2140,10 @@ Haskell library @code{regex-base}.")
         (base32
          "1vi11i23gkkjg6193ak90g55akj69bhahy542frkwb68haky4pp3"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-regex-base" ,ghc-regex-base)
-       ("ghc-parsec" ,ghc-parsec)))
     (inputs
-     `(("ghc-mtl" ,ghc-mtl)))
+     `(("ghc-regex-base" ,ghc-regex-base)
+       ("ghc-parsec" ,ghc-parsec)
+       ("ghc-mtl" ,ghc-mtl)))
     (home-page
      "https://hackage.haskell.org/package/regex-tdfa")
     (synopsis "Tagged DFA regex engine for Haskell")
@@ -2175,14 +2168,13 @@ Haskell library @code{regex-base}.")
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: Test fails with "cannot satisfy
                                ; -package attoparsec-0.13.0.1"
-    (propagated-inputs
+    (inputs
      `(("ghc-base-orphans" ,ghc-base-orphans)
        ("ghc-attoparsec" ,ghc-attoparsec)
        ("ghc-parsec" ,ghc-parsec)
        ("ghc-scientific" ,ghc-scientific)
-       ("ghc-charset" ,ghc-charset)))
-    (inputs
-     `(("ghc-text" ,ghc-text)
+       ("ghc-charset" ,ghc-charset)
+       ("ghc-text" ,ghc-text)
        ("ghc-unordered-containers" ,ghc-unordered-containers)))
     (home-page "https://github.com/ekmett/parsers/")
     (synopsis "Parsing combinators")
@@ -2210,15 +2202,14 @@ the parsers provided by @code{parsec}, @code{attoparsec} and @code{base}'s
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: Test fails with "cannot satisfy
                                ; -package ansi-terminal-0.6.2.3"
-    (propagated-inputs
+    (inputs
      `(("ghc-charset" ,ghc-charset)
        ("ghc-comonad" ,ghc-comonad)
        ("ghc-lens" ,ghc-lens)
        ("ghc-profunctors" ,ghc-profunctors)
        ("ghc-reducers" ,ghc-reducers)
-       ("ghc-semigroups" ,ghc-semigroups)))
-    (inputs
-     `(("ghc-ansi-wl-pprint" ,ghc-ansi-wl-pprint)
+       ("ghc-semigroups" ,ghc-semigroups)
+       ("ghc-ansi-wl-pprint" ,ghc-ansi-wl-pprint)
        ("ghc-ansi-terminal" ,ghc-ansi-terminal)
        ("ghc-blaze-builder" ,ghc-blaze-builder)
        ("ghc-blaze-html" ,ghc-blaze-html)
@@ -2250,14 +2241,14 @@ with slicing and Clang-style colored diagnostics.")
         (base32
          "0cprkr7bl4lrr80pz8mryb4rbfwdgpsrl7g0fbcaybhl8p5hm26f"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-scientific" ,ghc-scientific)))
     (inputs
+     `(("ghc-scientific" ,ghc-scientific)
+       ("ghc-text" ,ghc-text)))
+    (native-inputs
      `(("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-quickcheck-unicode" ,ghc-quickcheck-unicode)
        ("ghc-test-framework" ,ghc-test-framework)
        ("ghc-test-framework-quickcheck2" ,ghc-test-framework-quickcheck2)
-       ("ghc-text" ,ghc-text)
        ("ghc-vector" ,ghc-vector)))
     (home-page "https://github.com/bos/attoparsec")
     (synopsis "Fast combinator parsing for bytestrings and text")
@@ -2307,15 +2298,15 @@ Haskell.")
         (base32
          "169nkxr5zlbymiz1ydlhlqr66vqiycmg85xh559phpkr64w3nqj1"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-old-time" ,ghc-old-time)
-       ("ghc-digest" ,ghc-digest)))
     (inputs
-     `(("ghc-hunit" ,ghc-hunit)
-       ("ghc-mtl" ,ghc-mtl)
+     `(("ghc-old-time" ,ghc-old-time)
+       ("ghc-digest" ,ghc-digest)
        ("zip" ,zip)
+       ("ghc-mtl" ,ghc-mtl)
        ("ghc-text" ,ghc-text)
        ("ghc-zlib" ,ghc-zlib)))
+    (native-inputs
+     `(("ghc-hunit" ,ghc-hunit)))
     (home-page "https://hackage.haskell.org/package/zip-archive")
     (synopsis "Zip archive library for Haskell")
     (description "The zip-archive library provides functions for creating,
@@ -2339,7 +2330,7 @@ modifying, and extracting files from zip archives in Haskell.")
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: fails with "cannot satisfy -package
                                ; tagged-0.8.1".  Suspected Cabal issue.
-    (propagated-inputs
+    (inputs
      `(("ghc-tagged" ,ghc-tagged)
        ("ghc-transformers-compat" ,ghc-transformers-compat)))
     (home-page "https://github.com/ekmett/distributive/")
@@ -2385,14 +2376,13 @@ parser isolation, and labeled blocks for better error messages.")
         (base32
          "0arvbaxgkawzdp38hh53akkahjg2aa3kj2b4ns0ni8a5ylg2cqmp"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-distributive" ,ghc-distributive)
-       ("ghc-transformers-compat" ,ghc-transformers-compat)
-       ("ghc-contravariant" ,ghc-contravariant)))
     (arguments `(#:tests? #f)) ; FIXME: Test fails with "cannot satisfy
                                ; -package contravariant-1.3.3"
     (inputs
-     `(("ghc-semigroups" ,ghc-semigroups)
+     `(("ghc-distributive" ,ghc-distributive)
+       ("ghc-transformers-compat" ,ghc-transformers-compat)
+       ("ghc-contravariant" ,ghc-contravariant)
+       ("ghc-semigroups" ,ghc-semigroups)
        ("ghc-tagged" ,ghc-tagged)
        ("ghc-contravariant" ,ghc-contravariant)))
     (home-page "https://github.com/ekmett/comonad/")
@@ -2439,7 +2429,7 @@ and mIRC chat codes.")
         (base32
          "1z417f80b0jm4dgv25fk408p3d9mmcd1dlbya3ry0zdx4md09vrh"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)))
     (home-page
      "http://code.haskell.org/~malcolm/polyparse/")
@@ -2493,10 +2483,9 @@ this package makes them available back to GHC 7.2.")
         (base32
          "0lw2ipacpnp9yqmi8zsp01pzpn5hwj8af3y0f3079mddrmw48gw7"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-distributive" ,ghc-distributive)))
     (inputs
-     `(("ghc-comonad" ,ghc-comonad)
+     `(("ghc-distributive" ,ghc-distributive)
+       ("ghc-comonad" ,ghc-comonad)
        ("ghc-tagged" ,ghc-tagged)))
     (home-page "https://github.com/ekmett/profunctors/")
     (synopsis "Profunctors for Haskell")
@@ -2518,13 +2507,12 @@ this package makes them available back to GHC 7.2.")
         (base32
          "0pkddg0s3cn759miq0nfrq7lnp3imk5sx784ihsilsbjh9kvffz4"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-semigroupoids" ,ghc-semigroupoids)))
     (inputs
      `(("ghc-fingertree" ,ghc-fingertree)
        ("ghc-hashable" ,ghc-hashable)
        ("ghc-text" ,ghc-text)
        ("ghc-unordered-containers" ,ghc-unordered-containers)
+       ("ghc-semigroupoids" ,ghc-semigroupoids)
        ("ghc-semigroups" ,ghc-semigroups)))
     (home-page "https://github.com/ekmett/reducers/")
     (synopsis "Semigroups, specialized containers and a general map/reduce framework")
@@ -2662,7 +2650,7 @@ online}.")
         (base32
          "0g814lj7vaxvib2g3r734221k80k7ap9czv9hinifn8syals3l9j"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)))
     (home-page "http://code.galois.com")
     (synopsis "Simple XML library for Haskell")
@@ -2685,7 +2673,7 @@ online}.")
          "1x1bk1jf42k1gigiqqmkkh38z2ffhx8rsqiszdq3f94m2h6kw2h7"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: Missing test-framework package.
-    (propagated-inputs
+    (inputs
      `(("ghc-stm" ,ghc-stm)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-transformers-compat" ,ghc-transformers-compat)))
@@ -2710,7 +2698,7 @@ for Haskell.")
         (base32
          "0is67bmsjmbbw6wymhis8wyq9gax3sszm573p5719fx2c9z9r24a"))))
     (build-system haskell-build-system)
-    (propagated-inputs `(("ghc-exceptions" ,ghc-exceptions)))
+    (inputs `(("ghc-exceptions" ,ghc-exceptions)))
     (home-page "http://www.github.com/batterseapower/temporary")
     (synopsis "Temporary file and directory support")
     (description "The functions for creating temporary files and directories
@@ -2735,7 +2723,7 @@ installed.")
         (base32
          "1nqih0qks439k3pr5kmbbc8rjdw730slrxlflqb27fbxbzb8skqs"))))
     (build-system haskell-build-system)
-    (propagated-inputs `(("ghc-exceptions" ,ghc-exceptions)))
+    (inputs `(("ghc-exceptions" ,ghc-exceptions)))
     (home-page
      "http://www.github.com/feuerbach/temporary")
     (synopsis
@@ -2764,10 +2752,9 @@ This is a better maintained fork of the \"temporary\" package.")
         (base32
          "1ygrabxh40bym3grnzqyfqn96lirnxspb8cmwkkr213239y605sd"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-logict" ,ghc-logict)))
     (inputs
-     `(("ghc-mtl" ,ghc-mtl)))
+     `(("ghc-logict" ,ghc-logict)
+       ("ghc-mtl" ,ghc-mtl)))
     (home-page
      "https://github.com/feuerbach/smallcheck")
     (synopsis "Property-based testing library")
@@ -2791,11 +2778,10 @@ automatically by SmallCheck.")
         (base32
          "0pgz2lclg2hp72ykljcbxd88pjanfdfk8m5vb2qzcyjr85kwrhxv"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-generic-deriving" ,ghc-generic-deriving)
-       ("ghc-xml" ,ghc-xml)))
     (inputs
-     `(("ghc-mtl" ,ghc-mtl)
+     `(("ghc-generic-deriving" ,ghc-generic-deriving)
+       ("ghc-xml" ,ghc-xml)
+       ("ghc-mtl" ,ghc-mtl)
        ("ghc-stm" ,ghc-stm)
        ("ghc-tagged" ,ghc-tagged)
        ("ghc-tasty" ,ghc-tasty)))
@@ -2874,11 +2860,10 @@ writing to stdout and other handles.")
         (base32
          "041s6963czs1pz0fc9cx17lgd6p83czqy2nxji7bhxqxwl2j15h2"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-old-time" ,ghc-old-time)
-       ("ghc-unordered-containers" ,ghc-unordered-containers)))
     (inputs
-     `(("ghc-hashable" ,ghc-hashable)
+     `(("ghc-old-time" ,ghc-old-time)
+       ("ghc-unordered-containers" ,ghc-unordered-containers)
+       ("ghc-hashable" ,ghc-hashable)
        ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-text" ,ghc-text)))
     (home-page
@@ -2955,8 +2940,7 @@ use HUnit assertions as QuickCheck properties.")
     (arguments
      `(#:tests? #f  ; FIXME: currently missing libraries used for tests.
        #:configure-flags '("-f base4")))
-    ;; these inputs are necessary to use this package
-    (propagated-inputs
+    (inputs
      `(("ghc-tf-random" ,ghc-tf-random)))
     (home-page
      "https://github.com/nick8325/quickcheck")
@@ -2985,7 +2969,7 @@ use HUnit assertions as QuickCheck properties.")
     (inputs
      `(("ghc-hunit" ,ghc-hunit)))
     ;; these inputs are necessary to use this library
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)
        ("ghc-hashable" ,ghc-hashable)))
     (arguments
@@ -3079,7 +3063,7 @@ encourages inductive, recursive definitions of graph algorithms.")
         '(substitute* "ChasingBottoms.cabal"
            (("syb >= 0.1.0.2 && < 0.6") "syb >= 0.1.0.2 && < 0.7")))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-random" ,ghc-random)
@@ -3118,9 +3102,8 @@ Partial and Infinite Values\"}.")
        ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-test-framework" ,ghc-test-framework)
        ("ghc-test-framework-hunit" ,ghc-test-framework-hunit)
-       ("ghc-test-framework-quickcheck2" ,ghc-test-framework-quickcheck2)))
-    ;; these inputs are necessary to use this library
-    (propagated-inputs `(("ghc-hashable" ,ghc-hashable)))
+       ("ghc-test-framework-quickcheck2" ,ghc-test-framework-quickcheck2)
+       ("ghc-hashable" ,ghc-hashable)))
     (home-page
      "https://github.com/tibbe/unordered-containers")
     (synopsis
@@ -3146,7 +3129,7 @@ and high speed.")
         (base32
          "1dx8f9aw27fz8kw0ad1nm6355w5rdl7bjvb427v2bsgnng30pipw"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-syb" ,ghc-syb)
        ("ghc-hashable" ,ghc-hashable)
        ("ghc-unordered-containers" ,ghc-unordered-containers)))
@@ -3240,7 +3223,7 @@ instances of the @code{Pretty} class.")
         (base32
          "025pyphsjf0dnbrmj5nscbi6gzyigwgp3ifxb3psn7kji6mfr29p"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-ansi-terminal" ,ghc-ansi-terminal)))
     (home-page "https://github.com/ekmett/ansi-wl-pprint")
     (synopsis "Wadler/Leijen Pretty Printer for colored ANSI terminal output")
@@ -3296,10 +3279,9 @@ mainstream languages.")
        (sha256
         (base32 "1ja20cmj6v336jy87c6h3jzjp00sdbakwbdwp11iln499k913xvi"))))
     (build-system haskell-build-system)
-    (inputs
+    (native-inputs
      `(("ghc-hunit" ,ghc-hunit)))
-    ;; these inputs are necessary to use this library
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)
        ("ghc-mtl" ,ghc-mtl)))
     (arguments
@@ -3330,10 +3312,8 @@ is also parametric in the input stream type.")
          "1r1jlksy7b0kb0fy00g64isk6nyd9wzzdq31gx5v1wn38knj0lqa"))))
     (build-system haskell-build-system)
     (inputs
-     `(("ghc-quickcheck" ,ghc-quickcheck)))
-    ;; these inputs are necessary to use this library
-    (propagated-inputs
-     `(("ghc-primitive" ,ghc-primitive)))
+     `(("ghc-primitive" ,ghc-primitive)
+       ("ghc-quickcheck" ,ghc-quickcheck)))
     (arguments
      `(#:tests? #f))      ; FIXME: currently missing libraries used for tests.
     (home-page "https://github.com/haskell/vector")
@@ -3358,10 +3338,9 @@ optimisation framework.")
         (base32
          "028rsf2w193rhs1gic5yvvrwidw9sblczcn10aw64npfc6502l4l"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-cereal" ,ghc-cereal)))
     (inputs
-     `(("ghc-vector" ,ghc-vector)))
+     `(("ghc-cereal" ,ghc-cereal)
+       ("ghc-vector" ,ghc-vector)))
     (home-page "https://github.com/bos/vector-binary-instances")
     (synopsis "Instances of Data.Binary and Data.Serialize for vector")
     (description "This library provides instances of @code{Binary} for the
@@ -3413,13 +3392,13 @@ boxed and storable vectors.")
         (base32
          "1pwbqb2rk4rnvllvdch42p5368xcvpkanp7bxckdhxya8zzwvhhg"))))
     (build-system haskell-build-system)
-    (inputs
-     `(("ghc-hunit" ,ghc-hunit)
-       ("ghc-network" ,ghc-network)))
     (arguments
      `(#:tests? #f))  ; FIXME: currently missing libraries used for tests.
-    (propagated-inputs
-     `(("ghc-parsec" ,ghc-parsec)))
+    (native-inputs
+     `(("ghc-hunit" ,ghc-hunit)))
+    (inputs
+     `(("ghc-parsec" ,ghc-parsec)
+       ("ghc-network" ,ghc-network)))
     (home-page
      "https://github.com/haskell/network-uri")
     (synopsis "Library for URI manipulation")
@@ -3466,9 +3445,9 @@ cursor, and changing the title.")
         (base32
          "0nyqdxr5ls2dxkf4a1f3x15xzwdm46ppn99nkcbhswlr6s3cq1s4"))))
     (build-system haskell-build-system)
-    (inputs
+    (native-inputs
      `(("ghc-hunit" ,ghc-hunit)))
-    (propagated-inputs
+    (inputs
      `(("ghc-old-time" ,ghc-old-time)
        ("ghc-parsec" ,ghc-parsec)
        ("ghc-mtl" ,ghc-mtl)
@@ -3499,14 +3478,13 @@ responses coming back.")
         (base32
          "0zqisxznlbszivsgy3irvf566zhcr6ipqqj3x9i7pj5hy913jwqf"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-hspec-core" ,ghc-hspec-core)
        ("hspec-discover" ,hspec-discover)
        ("ghc-hspec-expectations" ,ghc-hspec-expectations)
        ("ghc-quickcheck" ,ghc-quickcheck)
-       ("ghc-hunit" ,ghc-hunit)))
-    (inputs
-     `(("ghc-stringbuilder" ,ghc-stringbuilder)
+       ("ghc-hunit" ,ghc-hunit)
+       ("ghc-stringbuilder" ,ghc-stringbuilder)
        ("ghc-hspec-meta" ,ghc-hspec-meta)))
     (home-page "http://hspec.github.io/")
     (synopsis "Testing Framework for Haskell")
@@ -3527,11 +3505,13 @@ Haskell, inspired by the Ruby library RSpec.")
                (base32
                 "006syw8xagfhsx06ws9ywig1qx5lk4cgl7sq6pbid1s64c72mxn4"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-hspec-core" ,ghc-hspec-core)
        ("ghc-hunit" ,ghc-hunit)
        ("ghc-hspec" ,ghc-hspec)
        ("ghc-quickcheck" ,ghc-quickcheck)))
+    (native-inputs
+     `(("hspec-discover" ,hspec-discover)))
     (home-page "http://hspec.github.io/")
     (synopsis "Contributed functionality for Hspec")
     (description
@@ -3600,13 +3580,12 @@ runs Hspec tests.")
          "1wgd55k652jaf81nkvciyqi67ycj7zamr4nd9z1cqf8nr9fc3sa4"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: testing libraries are missing.
-    (propagated-inputs
+    (inputs
      `(("ghc-setenv" ,ghc-setenv)
        ("ghc-ansi-terminal" ,ghc-ansi-terminal)
        ("ghc-async" ,ghc-async)
-       ("ghc-quickcheck-io" ,ghc-quickcheck-io)))
-    (inputs
-     `(("ghc-hunit" ,ghc-hunit)
+       ("ghc-quickcheck-io" ,ghc-quickcheck-io)
+       ("ghc-hunit" ,ghc-hunit)
        ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-hspec-expectations" ,ghc-hspec-expectations)
        ("ghc-silently" ,ghc-silently)))
@@ -3631,7 +3610,7 @@ be used to extend Hspec's functionality.")
         (base32
          "1fmqmgrzp135cxhmxxbaswkk4bqbpgfml00cmcz0d39n11vzpa5z"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-hunit" ,ghc-hunit)
        ("ghc-ansi-terminal" ,ghc-ansi-terminal)
@@ -3661,7 +3640,7 @@ used to test the in-development version of Hspec.")
         (base32
          "0ah6qrg71krc87f4vjy4b4shdd0mgyil8fikb3j6fl4kfwlg67jn"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-unordered-containers" ,ghc-unordered-containers)
        ("ghc-hashable" ,ghc-hashable)))
     (home-page
@@ -3712,7 +3691,7 @@ manipulating monad transformer stacks.")
         (base32
          "07pn1p4m80wdd7gw62s4yny8rbvm60ka1q8qx5y1plznd8sbg179"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-stm" ,ghc-stm)
        ("ghc-transformers-base" ,ghc-transformers-base)
        ("ghc-transformers-compat" ,ghc-transformers-compat)))
@@ -3763,9 +3742,10 @@ system.")
         (base32
          "02m93hzgxg4bcnp7xcc2fdh2hrsc2h6fwl8hix5nx9k864kwf41q"))))
     (build-system haskell-build-system)
-    (inputs
+    (native-inputs
      `(("ghc-quickcheck" ,ghc-quickcheck)
-       ("ghc-hspec" ,ghc-hspec)))
+       ("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://hackage.haskell.org/package/base-compat")
     (synopsis "Haskell compiler compatibility library")
     (description "This library provides functions available in later versions
@@ -3789,7 +3769,7 @@ pragmas in your code.")
          "1id3w33x9f7q5m3xpggmvzw03bkp94bpfyz81625bldqgf3yqdn1"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f))          ; FIXME: Missing test libraries.
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)
        ("ghc-utf8-string" ,ghc-utf8-string)))
     (home-page "https://github.com/lpsmith/blaze-builder")
@@ -3817,7 +3797,7 @@ interoperate with code that uses the new implementation.")
          "080vlhd8dwjxrma4bb524lh8gxs5lm3xh122icy6lnnyipla0s9y"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: testing libraries are missing.
-    (propagated-inputs
+    (inputs
      `(("ghc-blaze-builder" ,ghc-blaze-builder)
        ("ghc-text" ,ghc-text)))
     (home-page "http://jaspervdj.be/blaze")
@@ -3842,7 +3822,7 @@ library for Haskell.")
          "1dnw50kh0s405cg9i2y4a8awanhj3bqzk21jwgfza65kcjby7lpq"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: testing libraries are missing.
-    (propagated-inputs
+    (inputs
      `(("ghc-blaze-builder" ,ghc-blaze-builder)
        ("ghc-text" ,ghc-text)
        ("ghc-blaze-markup" ,ghc-blaze-markup)))
@@ -3888,11 +3868,10 @@ library for Haskell.")
          "0azx4qk65a9a2gvqsfmz3w89m6shzr2iz0i5lly2zvly4n2d6m6v"))))
     (build-system haskell-build-system)
     (inputs
-     `(("ghc-hunit" ,ghc-hunit)
+     `(("ghc-stm" ,ghc-stm)
+       ("ghc-hunit" ,ghc-hunit)
        ("ghc-test-framework" ,ghc-test-framework)
        ("ghc-test-framework-hunit" ,ghc-test-framework-hunit)))
-    (propagated-inputs
-     `(("ghc-stm" ,ghc-stm)))
     (home-page "https://github.com/simonmar/async")
     (synopsis "Library to run IO operations asynchronously")
     (description "Async provides a library to run IO operations
@@ -3940,7 +3919,7 @@ simple general-purpose data structure\".")
         (base32
          "0ni52ii9555jngljvzxn1ngicr6i2w647ww3rzhdrmng04y95iii"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-transformers-compat" ,ghc-transformers-compat)
        ("ghc-ansi-wl-pprint" ,ghc-ansi-wl-pprint)))
     (home-page "https://github.com/pcapriotti/optparse-applicative")
@@ -3964,9 +3943,10 @@ command line options in Haskell.")
         (base32
          "0hhgpwjvx7jhvlhsygmmf0q5hv2ymijzz4bjilicw99bmv13qcpl"))))
     (build-system haskell-build-system)
-    (inputs
+    (native-inputs
      `(("ghc-quickcheck" ,ghc-quickcheck)
-       ("ghc-hspec" ,ghc-hspec)))
+       ("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://hackage.haskell.org/package/base-orphans")
     (synopsis "Orphan instances for backwards compatibility")
     (description "This package defines orphan instances that mimic instances
@@ -4101,10 +4081,9 @@ timer functions of different operating systems via a unified API.")
         (base32
          "1gn0m96qpjww8hpp2g1as5yy0wcwy4iq73h3kz6g0yxxhcl5sh9x"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-semigroups" ,ghc-semigroups)))
     (inputs
-     `(("ghc-unordered-containers" ,ghc-unordered-containers)))
+     `(("ghc-semigroups" ,ghc-semigroups)
+       ("ghc-unordered-containers" ,ghc-unordered-containers)))
     (home-page "https://github.com/ekmett/charset")
     (synopsis "Fast unicode character sets for Haskell")
     (description "This package provides fast unicode character sets for
@@ -4171,10 +4150,9 @@ Compatibility package for older packages.")
         (base32
          "1x15x2axz84ndw2bf60vjqljhrb0w95lddaljsxrl0hcd29zvw69"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-semigroups" ,ghc-semigroups)))
     (inputs
-     `(("ghc-hashable" ,ghc-hashable)))
+     `(("ghc-semigroups" ,ghc-semigroups)
+       ("ghc-hashable" ,ghc-hashable)))
     (home-page "https://github.com/ekmett/void")
     (synopsis
      "Logically uninhabited data type")
@@ -4198,10 +4176,9 @@ given term should not exist.")
         (base32
          "0iywbadpy8s3isfzlx9dlz3apaywhqq4gdbxkwygksq8pzdhwkrk"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-adjunctions" ,ghc-adjunctions)))
     (inputs
-     `(("ghc-comonad" ,ghc-comonad)
+     `(("ghc-adjunctions" ,ghc-adjunctions)
+       ("ghc-comonad" ,ghc-comonad)
        ("ghc-contravariant" ,ghc-contravariant)
        ("ghc-distributive" ,ghc-distributive)
        ("ghc-free" ,ghc-free)
@@ -4229,7 +4206,7 @@ forms of the Yoneda lemma, and (co)density (co)monads for Haskell.")
         (base32
          "1ap51cvwq61xckx5hw44l82ihbxvsq3263xr5hqg42c5qp67kbhf"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-stm" ,ghc-stm)))
     (home-page "https://hackage.haskell.org/package/StateVar")
     (synopsis "State variables for Haskell")
@@ -4253,7 +4230,7 @@ in the @code{IO} monad, like @code{IORef}s or parts of the OpenGL state.")
          "0g4g0xksrb2m8wgsmraaq8qnk1sssb42kr65fc7clgyid6zyfmim"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: doctest packagedb propagation problem.
-    (propagated-inputs
+    (inputs
      `(("ghc-base-orphans" ,ghc-base-orphans)
        ("ghc-bifunctors" ,ghc-bifunctors)
        ("ghc-distributive" ,ghc-distributive)
@@ -4263,9 +4240,8 @@ in the @code{IO} monad, like @code{IORef}s or parts of the OpenGL state.")
        ("ghc-parallel" ,ghc-parallel)
        ("ghc-reflection" ,ghc-reflection)
        ("ghc-semigroupoids" ,ghc-semigroupoids)
-       ("ghc-vector" ,ghc-vector)))
-    (inputs
-     `(("ghc-comonad" ,ghc-comonad)
+       ("ghc-vector" ,ghc-vector)
+       ("ghc-comonad" ,ghc-comonad)
        ("ghc-contravariant" ,ghc-contravariant)
        ("ghc-hashable" ,ghc-hashable)
        ("ghc-mtl" ,ghc-mtl)
@@ -4359,11 +4335,10 @@ are implemented as FFI bindings to efficient code from zlib.")
         (base32
          "0drx1hlqvdcrij4097q6bxhbfcqm73jsqv1wwhd3hsnjdmr46ch2"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-xss-sanitize" ,ghc-xss-sanitize)
-       ("ghc-data-default" ,ghc-data-default)))
     (inputs
-     `(("ghc-mtl" ,ghc-mtl)
+     `(("ghc-xss-sanitize" ,ghc-xss-sanitize)
+       ("ghc-data-default" ,ghc-data-default)
+       ("ghc-mtl" ,ghc-mtl)
        ("ghc-text" ,ghc-text)
        ("ghc-blaze-html" ,ghc-blaze-html)
        ("ghc-syb" ,ghc-syb)
@@ -4419,16 +4394,15 @@ attacks.")
         (base32
          "1jf7jnfhdvl6p18wdr21yi2fim1xb8alcn6szhrdswj0dkilgq6d"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (arguments `(#:tests? #f)) ; FIXME: doctest packagedb propagation problem.
+    (inputs
      `(("ghc-base-orphans" ,ghc-base-orphans)
        ("ghc-transformers-compat" ,ghc-transformers-compat)
        ("ghc-bifunctors" ,ghc-bifunctors)
        ("ghc-comonad" ,ghc-comonad)
        ("ghc-contravariant" ,ghc-contravariant)
-       ("ghc-distributive" ,ghc-distributive)))
-    (arguments `(#:tests? #f)) ; FIXME: doctest packagedb propagation problem.
-    (inputs
-     `(("ghc-semigroups" ,ghc-semigroups)
+       ("ghc-distributive" ,ghc-distributive)
+       ("ghc-semigroups" ,ghc-semigroups)
        ("ghc-tagged" ,ghc-tagged)))
     (home-page "https://github.com/ekmett/semigroupoids")
     (synopsis "Semigroupoids operations for Haskell")
@@ -4457,12 +4431,11 @@ just a @code{Semigroup} are added.")
         (base32
          "184hcmhsznqrkmqlc1kza9pb5p591anva574ry8wrh81vqmhwfb5"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-void" ,ghc-void)
        ("ghc-transformers-compat" ,ghc-transformers-compat)
-       ("ghc-statevar" ,ghc-statevar)))
-    (inputs
-     `(("ghc-semigroups" ,ghc-semigroups)))
+       ("ghc-statevar" ,ghc-statevar)
+       ("ghc-semigroups" ,ghc-semigroups)))
     (home-page
      "https://github.com/ekmett/contravariant/")
     (synopsis "Contravariant functors")
@@ -4484,12 +4457,11 @@ just a @code{Semigroup} are added.")
         (base32
          "0gvpfi7s6ys4qha3y9a1zl1a15gf9cgg33wjb94ghg82ivcxnc3r"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-nats" ,ghc-nats)
        ("ghc-tagged" ,ghc-tagged)
-       ("ghc-unordered-containers" ,ghc-unordered-containers)))
-    (inputs
-     `(("ghc-text" ,ghc-text)
+       ("ghc-unordered-containers" ,ghc-unordered-containers)
+       ("ghc-text" ,ghc-text)
        ("ghc-hashable" ,ghc-hashable)))
     (home-page "https://github.com/ekmett/semigroups/")
     (synopsis "Semigroup operations for Haskell")
@@ -4517,12 +4489,11 @@ semigroup.")
         (base32
          "0sr8phvrb4ny8j1wzq55rdn8q4br23q4pw2j276npr844825jr9p"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-prelude-extras" ,ghc-prelude-extras)
        ("ghc-profunctors" ,ghc-profunctors)
-       ("ghc-exceptions" ,ghc-exceptions)))
-    (inputs
-     `(("ghc-bifunctors" ,ghc-bifunctors)
+       ("ghc-exceptions" ,ghc-exceptions)
+       ("ghc-bifunctors" ,ghc-bifunctors)
        ("ghc-comonad" ,ghc-comonad)
        ("ghc-distributive" ,ghc-distributive)
        ("ghc-mtl" ,ghc-mtl)
@@ -4554,10 +4525,9 @@ definition of @code{Monad}.")
         (base32
          "00p030iypjzjib8pxz1x6mxfi59wvyrwjj11zv9bh766dgkdbwjq"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-profunctors" ,ghc-profunctors)))
     (inputs
-     `(("ghc-comonad" ,ghc-comonad)
+     `(("ghc-profunctors" ,ghc-profunctors)
+       ("ghc-comonad" ,ghc-comonad)
        ("ghc-contravariant" ,ghc-contravariant)
        ("ghc-distributive" ,ghc-distributive)
        ("ghc-free" ,ghc-free)
@@ -4587,12 +4557,13 @@ for Haskell.")
         (base32
          "0kjk1861qcls8m8y7i55msfpprws5wk6c5mxzi35g2qbl2sih4p5"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-bytestring-builder" ,ghc-bytestring-builder)
-       ("ghc-auto-update" ,ghc-auto-update)))
     (inputs
-     `(("ghc-hspec" ,ghc-hspec)
+     `(("ghc-bytestring-builder" ,ghc-bytestring-builder)
+       ("ghc-auto-update" ,ghc-auto-update)
        ("ghc-text" ,ghc-text)))
+    (native-inputs
+     `(("hspec-discover" ,hspec-discover)
+       ("ghc-hspec" ,ghc-hspec)))
     (home-page "https://hackage.haskell.org/package/fast-logger")
     (synopsis "Fast logging system")
     (description "This library provides a fast logging system for Haskell.")
@@ -4614,11 +4585,10 @@ for Haskell.")
          "1jbyhzbi2hfrfg7vbkpj6vriaap8cn99nnmzwcfscwaijz09jyrm"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f))          ; FIXME: missing test framework
-    (propagated-inputs
-     `(("ghc-syb" ,ghc-syb)
-       ("ghc-paths" ,ghc-paths)))
     (inputs
-     `(("ghc-base-compat" ,ghc-base-compat)
+     `(("ghc-syb" ,ghc-syb)
+       ("ghc-paths" ,ghc-paths)
+       ("ghc-base-compat" ,ghc-base-compat)
        ("ghc-hunit" ,ghc-hunit)
        ("ghc-hspec" ,ghc-hspec)
        ("ghc-quickcheck" ,ghc-quickcheck)
@@ -4649,11 +4619,10 @@ It is modeled after doctest for Python, see
          "1yz14a1rsgknwyl08n4kxrlc26hfwmb95a3c2drbnsgmhdyq7iap"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: Missing testing libraries.
-    (propagated-inputs
-     `(("ghc-transformers-base" ,ghc-transformers-base)
-       ("ghc-monad-control" ,ghc-monad-control)))
     (inputs
-     `(("ghc-transformers-compat" ,ghc-transformers-compat)
+     `(("ghc-transformers-base" ,ghc-transformers-base)
+       ("ghc-monad-control" ,ghc-monad-control)
+       ("ghc-transformers-compat" ,ghc-transformers-compat)
        ("ghc-hunit" ,ghc-hunit)))
     (home-page "https://github.com/basvandijk/lifted-base")
     (synopsis "Lifted IO operations from the base library")
@@ -4679,8 +4648,9 @@ Kaseorg.")
         (base32
          "1pbn8ra3qhwvw07p375cdmp7jzlg07hgdcr4cpscz3h7b9sy7fiw"))))
     (build-system haskell-build-system)
-    (inputs
-     `(("ghc-hspec" ,ghc-hspec)))
+    (native-inputs
+     `(("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://hackage.haskell.org/package/word8")
     (synopsis "Word8 library for Haskell")
     (description "Word8 library to be used with @code{Data.ByteString}.")
@@ -4723,10 +4693,9 @@ occurrences of a substring (the first in case of overlaps) with another.")
         (base32
          "15rjxib5jmjq0hzj47x15kgp3awc73va4cy1pmpf7k3hvfv4qprn"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-quickcheck" ,ghc-quickcheck)))
     (inputs
-     `(("ghc-tagged" ,ghc-tagged)
+     `(("ghc-quickcheck" ,ghc-quickcheck)
+       ("ghc-tagged" ,ghc-tagged)
        ("ghc-tasty" ,ghc-tasty)
        ("ghc-random" ,ghc-random)
        ("ghc-ansi-terminal" ,ghc-ansi-terminal)
@@ -4753,10 +4722,9 @@ Haskell test framework.")
         (base32
          "0n7nll1sx75n3lffwhgnjrxdn0jz1g0921z9mj193fxqw0wz8axh"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-temporary" ,ghc-temporary)))
     (inputs
-     `(("ghc-tasty" ,ghc-tasty)
+     `(("ghc-temporary" ,ghc-temporary)
+       ("ghc-tasty" ,ghc-tasty)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-optparse-applicative" ,ghc-optparse-applicative)
        ("ghc-tagged" ,ghc-tagged)
@@ -4788,7 +4756,7 @@ the correct result for the test.")
         (base32
          "1chapivmmwsb1ghwagvdm80bfj3hdk75m94z4p212ng2i4ghpjkx"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-stm" ,ghc-stm)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-tagged" ,ghc-tagged)
@@ -4843,10 +4811,9 @@ test framework.")
         (base32
          "0b6ym6fn29p5az4dwydy036lxj131kagrmgb93w4bbkqfkds8b9s"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-old-locale" ,ghc-old-locale)))
     (inputs
-     `(("ghc-blaze-builder" ,ghc-blaze-builder)
+     `(("ghc-old-locale" ,ghc-old-locale)
+       ("ghc-blaze-builder" ,ghc-blaze-builder)
        ("ghc-text" ,ghc-text)
        ("ghc-data-default-class" ,ghc-data-default-class)
        ("ghc-hunit" ,ghc-hunit)
@@ -4874,11 +4841,10 @@ test framework.")
         (base32
          "0mimdkva0cgzaychr6whv9if29z0r5wwhkss9bmd4rz8kq1kgngn"))))
     (build-system haskell-build-system)
-    (propagated-inputs
-     `(("ghc-hashable" ,ghc-hashable)
-       ("ghc-vector" ,ghc-vector)))
     (inputs
-     `(("ghc-text" ,ghc-text)
+     `(("ghc-hashable" ,ghc-hashable)
+       ("ghc-vector" ,ghc-vector)
+       ("ghc-text" ,ghc-text)
        ("ghc-tasty" ,ghc-tasty)
        ("ghc-tasty-ant-xml" ,ghc-tasty-ant-xml)
        ("ghc-tasty-hunit" ,ghc-tasty-hunit)
@@ -4911,16 +4877,15 @@ notation}.")
          "19kp33rfivr4d3myyr8xn803wd7p8x5nc4wb3qvlgjwgyqjaxvrz"))))
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: testing libraries are missing.
-    (propagated-inputs
+    (inputs
      `(("ghc-attoparsec" ,ghc-attoparsec)
        ("ghc-dlist" ,ghc-dlist)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-scientific" ,ghc-scientific)
        ("ghc-syb" ,ghc-syb)
        ("ghc-unordered-containers" ,ghc-unordered-containers)
-       ("ghc-vector" ,ghc-vector)))
-    (inputs
-     `(("ghc-hashable" ,ghc-hashable)
+       ("ghc-vector" ,ghc-vector)
+       ("ghc-hashable" ,ghc-hashable)
        ("ghc-text" ,ghc-text)
        ("ghc-hunit" ,ghc-hunit)
        ("ghc-quickcheck" ,ghc-quickcheck)))
@@ -4979,18 +4944,19 @@ essentially the opposite of pretty-printing.")
         (base32
          "1551n0g0n22vml33v0jz5xgjcy6j79algvsdqg11a1z5ljjrjlqf"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-bytestring-builder" ,ghc-bytestring-builder)
        ("ghc-unix-compat" ,ghc-unix-compat)
        ("ghc-vault" ,ghc-vault)
        ("ghc-blaze-builder" ,ghc-blaze-builder)
-       ("ghc-network" ,ghc-network)))
-    (inputs
-     `(("ghc-quickcheck" ,ghc-quickcheck)
-       ("ghc-hunit" ,ghc-hunit)
-       ("ghc-hspec" ,ghc-hspec)
+       ("ghc-network" ,ghc-network)
        ("ghc-text" ,ghc-text)
        ("ghc-http-types" ,ghc-http-types)))
+    (native-inputs
+     `(("hspec-discover" ,hspec-discover)
+       ("ghc-quickcheck" ,ghc-quickcheck)
+       ("ghc-hunit" ,ghc-hunit)
+       ("ghc-hspec" ,ghc-hspec)))
     (home-page "https://hackage.haskell.org/package/wai")
     (synopsis "Web application interface for Haskell")
     (description "This package provides a Web Application Interface (WAI)
@@ -5015,13 +4981,12 @@ communication between web applications and web servers.")
     (build-system haskell-build-system)
     (arguments `(#:tests? #f)) ; FIXME: Tests cannot find libraries exported
                                ; by propagated-inputs.
-    (propagated-inputs
+    (inputs
      `(("ghc-auto-update" ,ghc-auto-update)
        ("ghc-byteorder" ,ghc-byteorder)
        ("ghc-easy-file" ,ghc-easy-file)
-       ("ghc-unix-time" ,ghc-unix-time)))
-    (inputs
-     `(("ghc-blaze-builder" ,ghc-blaze-builder)
+       ("ghc-unix-time" ,ghc-unix-time)
+       ("ghc-blaze-builder" ,ghc-blaze-builder)
        ("ghc-case-insensitive" ,ghc-case-insensitive)
        ("ghc-fast-logger" ,ghc-fast-logger)
        ("ghc-http-types" ,ghc-http-types)
@@ -5047,7 +5012,7 @@ communication between web applications and web servers.")
         (base32
          "1kr2s5qyx1dvnwr372h7pca4sgxjv0pdx96xkgsfi180h3mb0vq8"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-ansi-terminal" ,ghc-ansi-terminal)
        ("ghc-base64-bytestring" ,ghc-base64-bytestring)
        ("ghc-cookie" ,ghc-cookie)
@@ -5062,16 +5027,17 @@ communication between web applications and web servers.")
        ("ghc-zlib" ,ghc-zlib)
        ("ghc-word8" ,ghc-word8)
        ("ghc-iproute" ,ghc-iproute)
-       ("ghc-void" ,ghc-void)))
-    (inputs
-     `(("ghc-wai" ,ghc-wai)
+       ("ghc-void" ,ghc-void)
+       ("ghc-wai" ,ghc-wai)
        ("ghc-http-types" ,ghc-http-types)
        ("ghc-text" ,ghc-text)
        ("ghc-case-insensitive" ,ghc-case-insensitive)
        ("ghc-data-default-class" ,ghc-data-default-class)
        ("ghc-unix-compat" ,ghc-unix-compat)
        ("ghc-vault" ,ghc-vault)
-       ("ghc-aeson" ,ghc-aeson)
+       ("ghc-aeson" ,ghc-aeson)))
+    (native-inputs
+     `(("hspec-discover" ,hspec-discover)
        ("ghc-hspec" ,ghc-hspec)
        ("ghc-hunit" ,ghc-hunit)))
     (home-page "https://github.com/yesodweb/wai")
@@ -5126,7 +5092,7 @@ providing an 'rnf' implementation.")
                (base32
                 "094mzgdxva84kcpjf9m8b5n3chm1wm44bzflh5x6xhddz6pb7zpq"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-syb" ,ghc-syb)
        ("ghc-aeson" ,ghc-aeson)
        ("ghc-deepseq-generics" ,ghc-deepseq-generics)))
@@ -5150,7 +5116,7 @@ building up, manipulating and serialising @code{Pandoc} structures.")
                (base32
                 "143c8k7dyhwa9blpa8svy23ybx7i4xzb9jnfcimj8iigizbw7y1k"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-syb" ,ghc-syb)
        ("ghc-network-uri" ,ghc-network-uri)
        ("ghc-split" ,ghc-split)
@@ -5184,7 +5150,7 @@ it can parse and apply LaTeX macros.")
                (base32
                 "0y7as9wqlkykpipka2cfdhmcnin345q01pp0wsva8fwmvsavdl8b"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-regex-base" ,ghc-regex-base)))
     (home-page "https://hackage.haskell.org/package/regex-pcre")
     (synopsis "Enhancement of the builtin Text.Regex library")
@@ -5226,7 +5192,7 @@ and utilities for pretty printing.")
                (base32
                 "03c4flh4h1jd48bx0qmplax3q8w6wj1dhbh6j0xhaf5h95fbinki"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-diff" ,ghc-diff)
        ("ghc-regex-pcre-builtin" ,ghc-regex-pcre-builtin)))
     (native-inputs
@@ -5257,7 +5223,7 @@ descriptions.")
                (base32
                 "09515h9b26az9c2mbl6l7azimaixa6yff8w359k0ml8jwykjvqaa"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)))
     (native-inputs
      `(("ghc-hunit" ,ghc-hunit)))
@@ -5305,7 +5271,7 @@ as invoked.\" This library tries to provide the missing path.")
                (base32
                 "16ax1kqdsk4apg642qxkm2hf9vb5hzmkd14zmkxra8ssp8rn28z5"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-lifted-base" ,ghc-lifted-base)
        ("ghc-monad-control" ,ghc-monad-control)
        ("ghc-async" ,ghc-async)
@@ -5362,7 +5328,7 @@ asynchronous exceptions.")
                (base32
                 "13xdkk1chdghf059sfx8d3d8r0mj1dbzdi5kf2zf0mjmz3qq7m7k"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-packedstring" ,ghc-packedstring)))
     (home-page "https://github.com/mboes/th-lift")
     (synopsis "Derive Template Haskell's Lift class for datatypes")
@@ -5384,7 +5350,7 @@ datatypes.")
                (base32
                 "03qv93pyqk8all39knsf0mzmbfdck5x61kqnyn8rbisw5c1ymx6j"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-syb" ,ghc-syb)))
     (home-page "https://hackage.haskell.org/package/th-expand-syns")
     (synopsis "Expands type synonyms in Template Haskell ASTs")
@@ -5406,7 +5372,7 @@ datatypes.")
                (base32
                 "00hryljcs434wcv1vaamfdbjk857f46djxv7mlwplkl3zsmfhlfx"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-safe" ,ghc-safe)
        ("ghc-th-expand-syns" ,ghc-th-expand-syns)))
@@ -5431,7 +5397,7 @@ function which generates instances.")
                (base32
                 "105y03bxh0a2r69l603i7md17gg1vxs1jj1n40pn5q486lmfxbmx"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-th-lift" ,ghc-th-lift)
        ("ghc-th-reify-many" ,ghc-th-reify-many)
        ("ghc-mtl" ,ghc-mtl)
@@ -5460,7 +5426,7 @@ package, and that's where the version number started.")
                (base32
                 "1mzbfrfvl6pj8068w3m6alzry1403ir1gmz3czg66n5z198l4dql"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-haskell-src-exts" ,ghc-haskell-src-exts)
        ("ghc-syb" ,ghc-syb)
        ("ghc-th-orphans" ,ghc-th-orphans)))
@@ -5483,7 +5449,7 @@ template-haskell abstract syntax.")
                (base32
                 "1z8kh3qjc4khadz1ijdqm7fbk7dh17sisqhpwd3c9aibj2927k9d"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-base-compat" ,ghc-base-compat)
        ("ghc-text" ,ghc-text)
        ("ghc-attoparsec" ,ghc-attoparsec)
@@ -5493,7 +5459,8 @@ template-haskell abstract syntax.")
        ("ghc-parsec" ,ghc-parsec)
        ("ghc-haskell-src-meta" ,ghc-haskell-src-meta)))
     (native-inputs
-     `(("ghc-hspec" ,ghc-hspec)))
+     `(("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://github.com/zalora/aeson-qq")
     (synopsis "JSON quasiquoter for Haskell")
     (description
@@ -5514,7 +5481,7 @@ of a JSON value into a @code{Data.Aeson.Value}.")
                (base32
                 "0aq6wswd5dkhdmy7sjhd99mldpq33dqpgbdcwpm94ahvckqxs7v5"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-exceptions" ,ghc-exceptions)
        ("ghc-lifted-base" ,ghc-lifted-base)
        ("ghc-mmorph" ,ghc-mmorph)
@@ -5550,7 +5517,8 @@ enumerator/iteratee and pipes." )
                 "0zhdbjyj0j9by19rma9alxysrxnnl3s4kks4zk4bx0dg5xa0264y"))))
     (build-system haskell-build-system)
     (native-inputs
-     `(("ghc-hspec" ,ghc-hspec)))
+     `(("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://hackage.haskell.org/package/logging-facade")
     (synopsis "Simple logging abstraction that allows multiple back-ends")
     (description
@@ -5570,11 +5538,12 @@ back-ends.")
                (base32
                 "0m0lp2z63sgkylz5318j53r5hnrkp705qh7nqbb149ir4gy7g1bg"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-temporary" ,ghc-temporary)
        ("ghc-logging-facade" ,ghc-logging-facade)))
     (native-inputs
-     `(("ghc-hspec" ,ghc-hspec)))
+     `(("ghc-hspec" ,ghc-hspec)
+       ("hspec-discover" ,hspec-discover)))
     (home-page "https://hackage.haskell.org/package/mockery")
     (synopsis "Support functions for automated testing")
     (description
@@ -5593,7 +5562,7 @@ back-ends.")
                (base32
                 "0v6c435xmgm99zxb30pqr7lhkb2a56wxqp70g4hjz8p7rj0vichx"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-conduit" ,ghc-conduit)
        ("ghc-resourcet" ,ghc-resourcet)
        ("ghc-aeson" ,ghc-aeson)
@@ -5608,6 +5577,7 @@ back-ends.")
     (native-inputs
      `(("ghc-hspec" ,ghc-hspec)
        ("ghc-hunit" ,ghc-hunit)
+       ("hspec-discover" ,hspec-discover)
        ("ghc-mockery" ,ghc-mockery)))
     (home-page "https://github.com/snoyberg/yaml/")
     (synopsis "Parsing and rendering YAML documents")
@@ -5627,7 +5597,7 @@ back-ends.")
                (base32
                 "0ilqr8jv41zxcj5qyicg29m8s30b9v70x6f9h2h2rw5ap8bxldl8"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-unix-compat" ,ghc-unix-compat)))
     (home-page "https://github.com/bos/filemanip")
@@ -5672,7 +5642,7 @@ do on-demand loading.")
                (base32
                 "0hxa57cdknz86zywpjwfbdhac5lmk7j0wd5hy4mcnb8mw6r2m592"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-zlib" ,ghc-zlib)
        ("ghc-vector" ,ghc-vector)
@@ -5727,12 +5697,12 @@ libraries, like OpenSSL.")
     (arguments
      `(#:configure-flags '("-fsystem-lua")))
     (inputs
-     `(("lua" ,lua-5.1)))
-    (propagated-inputs
-     `(("ghc-text" ,ghc-text)))
+     `(("lua" ,lua-5.1)
+       ("ghc-text" ,ghc-text)))
     (native-inputs
      `(("ghc-hspec" ,ghc-hspec)
        ("ghc-hspec-contrib" ,ghc-hspec-contrib)
+       ("hspec-discover" ,hspec-discover)
        ("ghc-hunit" ,ghc-hunit)
        ("ghc-quickcheck" ,ghc-quickcheck)
        ("ghc-quickcheck-instances" ,ghc-quickcheck-instances)))
@@ -5756,7 +5726,7 @@ described in @url{http://www.lua.org/}.")
                (base32
                 "090z3dp928243amnc6s8g10rk2h2bprk9y138q6wj3cpflzr72pw"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)))
     (home-page "https://github.com/yesodweb/wai")
     (synopsis "Basic MIME type handling types and functions")
@@ -5779,7 +5749,7 @@ described in @url{http://www.lua.org/}.")
     (build-system haskell-build-system)
     ;; Tests require access to the web.
     (arguments `(#:tests? #f))
-    (propagated-inputs
+    (inputs
      `(("ghc-text" ,ghc-text)
        ("ghc-http-types" ,ghc-http-types)
        ("ghc-blaze-builder" ,ghc-blaze-builder)
@@ -5837,7 +5807,7 @@ wrapping a bytestring with stronger and more meaniful name.")
                (base32
                 "1xha17nwzxdjizbcp63d2142c6q051y77facs7xribgcl5iz2m4v"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-old-locale" ,ghc-old-locale)))
     (native-inputs
@@ -5866,7 +5836,7 @@ representations of current time.")
                (base32
                 "162sk5sg22w21wqz5qv8kx6ibxp99v5p20g3nknhm1kddk3hha1p"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-base64-bytestring" ,ghc-base64-bytestring)))
     (native-inputs
@@ -5895,7 +5865,7 @@ Mail} (PEM) format.")
                (base32
                 "1iif9yrh4mmj249gyvam0zb2vb3jnlz777gahh2z9sx00dsx9rja"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-memory" ,ghc-memory)
        ("ghc-hourglass" ,ghc-hourglass)))
     (home-page "https://github.com/vincenthz/hs-asn1-types")
@@ -5918,7 +5888,7 @@ format.")
                (base32
                 "01ki5msrpccgdbdiaaa5a9zw0icp1hki4hca8qx6hzlp0rcf1mwh"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-hourglass" ,ghc-hourglass)
        ("ghc-asn1-types" ,ghc-asn1-types)
        ("ghc-text" ,ghc-text)
@@ -5946,7 +5916,7 @@ supports for high level forms of ASN1 (BER, and DER).")
                (base32
                 "025prsihk5g6rdv9xlfmj0zpa0wa3qjzj5i4ilzvg7f6f3sji8y6"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-asn1-types" ,ghc-asn1-types)
        ("ghc-asn1-encoding" ,ghc-asn1-encoding)))
     (home-page "https://github.com/vincenthz/hs-asn1")
@@ -5968,7 +5938,7 @@ when ASN1 pattern matching is not convenient.")
                (base32
                 "14yvlpli6cv6bn3kh8mlfp4x1l6ns4fvmfv6hmj75cvxyzq029d7"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-tasty" ,ghc-tasty)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-tasty-quickcheck" ,ghc-tasty-quickcheck)
@@ -5993,7 +5963,7 @@ tasty.")
                (base32
                 "1rw5k34vpn4134yrzdhf0rsshsrkixfbv9ap18di2n00z2cw1shw"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-memory" ,ghc-memory)
        ("ghc-byteable" ,ghc-byteable)))
     (native-inputs
@@ -6048,7 +6018,7 @@ set, memory copy, ..) and more")
                (base32
                 "1pmsby29abn485fvnymsgipvb3p1ch9c591xj5ncszkf0ivjiiin"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-memory" ,ghc-memory)
        ("ghc-mtl" ,ghc-mtl)
        ("ghc-hourglass" ,ghc-hourglass)
@@ -6079,7 +6049,7 @@ set, memory copy, ..) and more")
                (base32
                 "01abx528i9f7djq2772xyna8x2mykrnwqkcfrapcx7z3bhprvml3"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-pem" ,ghc-pem)
        ("ghc-asn1-types" ,ghc-asn1-types)
@@ -6106,7 +6076,7 @@ collections, certificates, revocation lists, and exception lists.")
                (base32
                 "1qr1v561hdlhjgqjv9pj9mbk0q1xf2mr1j67ghy93nlxxyzd7dw0"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-memory" ,ghc-memory)
        ("ghc-byteable" ,ghc-byteable)
        ("ghc-mtl" ,ghc-mtl)
@@ -6138,7 +6108,7 @@ list validation.")
                (base32
                 "10qf60d2f9jqwnbrhsb2cwpi86xg66m6dxndlxw967v1cdb3h6gf"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-pem" ,ghc-pem)
        ("ghc-x509" ,ghc-x509)
@@ -6162,7 +6132,7 @@ for X.509 certificates.")
                (base32
                 "1rdidf18i781c0vdvy9yn79yh08hmcacf6fp3sgghyiy3h0wyh5l"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-mtl" ,ghc-mtl)
        ("ghc-cereal" ,ghc-cereal)
        ("ghc-data-default-class" ,ghc-data-default-class)
@@ -6205,7 +6175,7 @@ extensions.")
                (base32
                 "1nmldlwxqasmg359i2aa3a903gi3lmnlspvf12xk49jrg3mf3dg9"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-cereal" ,ghc-cereal)
        ("ghc-network" ,ghc-network)))
     (home-page "https://github.com/vincenthz/hs-socks")
@@ -6227,7 +6197,7 @@ extensions.")
                (base32
                 "090il95jnm7ihwvcx3s9v6iwnp37nnsdx15q7722l845g51d95c8"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-byteable" ,ghc-byteable)
        ("ghc-data-default-class" ,ghc-data-default-class)
        ("ghc-network" ,ghc-network)
@@ -6260,7 +6230,7 @@ the choice of SSL/TLS, and SOCKS.")
     (build-system haskell-build-system)
     ;; Tests require Internet access
     (arguments `(#:tests? #f))
-    (propagated-inputs
+    (inputs
      `(("ghc-data-default-class" ,ghc-data-default-class)
        ("ghc-http-client" ,ghc-http-client)
        ("ghc-connection" ,ghc-connection)
@@ -6290,7 +6260,7 @@ libraries, such as http-conduit.")
         (base32
          "1v78zq12p71gq0pc24h08inxcq5gxd0xb7m5ds0xw9pv9l2pswl1"))))
     (build-system haskell-build-system)
-    (propagated-inputs
+    (inputs
      `(("ghc-syb" ,ghc-syb)
        ("ghc-unordered-containers" ,ghc-unordered-containers)
        ("ghc-parsec" ,ghc-parsec)
@@ -6867,6 +6837,7 @@ Polymorphism', by Mark P Jones.  This package is almost a compatible replacement
 the @code{mtl-tf} package.")
     (license license:bsd-3)))
 
+;; Do not use this.  Bytestring is a standard library and always included.
 (define-public ghc-bytestring
   (package
     (name "ghc-bytestring")
@@ -6947,6 +6918,7 @@ supported.  A module of colour names (\"Data.Colour.Names\") is provided.")
 files and directories in a portable way.")
     (license license:bsd-3)))
 
+;; Do not use this as an input.  It is part of GHC.
 (define-public ghc-process
   (package
     (name "ghc-process")
@@ -6961,6 +6933,14 @@ files and directories in a portable way.")
         (base32
          "1v1bav5isqxq9fc4lw714x94qbfsjbm2nn12kjp69r1ql8jaaaqw"))))
     (build-system haskell-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'patch-reference-to-/bin/sh
+           (lambda _
+             (substitute* "System/Process/Posix.hs"
+               (("/bin/sh") (which "sh")))
+             #t)))))
     (home-page "http://hackage.haskell.org/package/process")
     (synopsis "System process libraries")
     (description
diff --git a/gnu/packages/julia.scm b/gnu/packages/julia.scm
index e3cefb4330..a6664a54c2 100644
--- a/gnu/packages/julia.scm
+++ b/gnu/packages/julia.scm
@@ -40,16 +40,17 @@
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages textutils)
+  #:use-module (gnu packages tls)
   #:use-module (gnu packages version-control)
   #:use-module (gnu packages wget)
   #:use-module (ice-9 match))
 
 (define libuv-julia
-  (let ((commit "efb40768b7c7bd9f173a7868f74b92b1c5a61a0e")
-        (revision "3"))
+  (let ((commit "8d5131b6c1595920dd30644cd1435b4f344b46c8")
+        (revision "4"))
     (package (inherit libuv)
       (name "libuv-julia")
-      (version (string-append "0.11.26." revision "-" (string-take commit 8)))
+      (version (string-append "1.9.0-" revision "." (string-take commit 8)))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -58,7 +59,7 @@
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
                  (base32
-                  "16k6pm2jl0ymz5j4ldxn94imdimahqqfd2izgr3zf1vwyyay77w3"))))
+                  "1fq0vhiprdryw8iisxxwyld3xdr5za6y8458p22ff56al98h22fv"))))
       (build-system gnu-build-system)
       (arguments
        (substitute-keyword-arguments (package-arguments libuv)
@@ -67,10 +68,22 @@
              (delete 'autogen)))))
       (home-page "https://github.com/JuliaLang/libuv"))))
 
+(define libunwind-for-julia
+  (package
+    (inherit libunwind)
+    (version "1.1-julia2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://s3.amazonaws.com/julialang/src/"
+                                  "libunwind-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0499x7sg2v18a6cry6l8y713cgmic0adnjph8i0xr1db9p7n8qyv"))))))
+
 (define-public julia
   (package
     (name "julia")
-    (version "0.4.5")
+    (version "0.5.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -78,7 +91,7 @@
                     version "/julia-" version ".tar.gz"))
               (sha256
                (base32
-                "09gc6yf3v4in0qwhrbgjrjgvblp941di0mli4zax22mvf4dzc7s4"))))
+                "0bhickil88lalp9jdj1kmf4is70zinhx8ha9rng0g3z50r4a2qmv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
@@ -86,6 +99,9 @@
                   (guix build gnu-build-system)
                   (guix build utils))
 
+       ;; Do not strip binaries to keep support for full backtraces.
+       ;; See https://github.com/JuliaLang/julia/issues/17831
+       #:strip-binaries? #f
 
        ;; The DSOs use $ORIGIN to refer to each other, but (guix build
        ;; gremlin) doesn't support it yet, so skip this phase.
@@ -96,24 +112,33 @@
          (delete 'configure)
          (add-after 'unpack 'prepare-deps
            (lambda* (#:key inputs #:allow-other-keys)
-             (copy-file (assoc-ref inputs "rmath-julia")
-                        "deps/Rmath-julia-0.1.tar.gz")
+             (mkdir "deps/srccache")
              (copy-file (assoc-ref inputs "dsfmt")
-                        "deps/dsfmt-2.2.3.tar.gz")
+                        "deps/srccache/dsfmt-2.2.3.tar.gz")
              (copy-file (assoc-ref inputs "objconv")
-                        "deps/objconv.zip")
+                        "deps/srccache/objconv.zip")
              (copy-file (assoc-ref inputs "suitesparse")
-                        "deps/SuiteSparse-4.4.2.tar.gz")
-             (copy-file (assoc-ref inputs "virtualenv")
-                        "deps/virtualenv-1.11.6.tar.gz")
+                        "deps/srccache/SuiteSparse-4.4.5.tar.gz")
+             (copy-file (string-append (assoc-ref inputs "virtualenv")
+                                       "/bin/virtualenv")
+                        "julia-env")
+             #t))
+         (add-after 'unpack 'fix-llvm-flag
+           (lambda _
+             (substitute* "src/Makefile"
+               (("-lLLVM-\\$\\(shell \\$\\(LLVM_CONFIG_HOST\\) --version\\)")
+                "$(shell $(LLVM_CONFIG_HOST) --libs)"))
              #t))
+         (add-before 'check 'set-home
+           ;; Some tests require a home directory to be set.
+           (lambda _ (setenv "HOME" "/tmp") #t))
          (add-after 'unpack 'hardcode-soname-map
-          ;; ./src/ccall.cpp creates a map from library names to paths using the
-          ;; output of "/sbin/ldconfig -p".  Since ldconfig is not used in Guix,
-          ;; we patch ccall.cpp to contain a static map.
+          ;; ./src/runtime_ccall.cpp creates a map from library names to paths
+          ;; using the output of "/sbin/ldconfig -p".  Since ldconfig is not
+          ;; used in Guix, we patch runtime_ccall.cpp to contain a static map.
           (lambda* (#:key inputs #:allow-other-keys)
             (use-modules (ice-9 match))
-            (substitute* "src/ccall.cpp"
+            (substitute* "src/runtime_ccall.cpp"
               (("jl_read_sonames.*;")
                (string-join
                 (map (match-lambda
@@ -133,6 +158,31 @@
                        ("openspecfun" "libopenspecfun" "libopenspecfun.so")
                        ("fftw"        "libfftw3"       "libfftw3.so")
                        ("fftwf"       "libfftw3f"      "libfftw3f.so"))))))
+            (substitute* "base/fft/FFTW.jl"
+              (("const libfftw = Base.libfftw_name")
+               (string-append "const libfftw = \""
+                              (assoc-ref inputs "fftw") "/lib/libfftw3.so"
+                              "\""))
+              (("const libfftwf = Base.libfftwf_name")
+               (string-append "const libfftwf = \""
+                              (assoc-ref inputs "fftwf") "/lib/libfftw3f.so"
+                              "\"")))
+            (substitute* "base/math.jl"
+              (("const libm = Base.libm_name")
+               (string-append "const libm = \""
+                              (assoc-ref inputs "openlibm")
+                              "/lib/libopenlibm.so"
+                              "\""))
+              (("const openspecfun = \"libopenspecfun\"")
+               (string-append "const openspecfun = \""
+                              (assoc-ref inputs "openspecfun")
+                              "/lib/libopenspecfun.so"
+                              "\"")))
+            (substitute* "base/pcre.jl"
+              (("const PCRE_LIB = \"libpcre2-8\"")
+               (string-append "const PCRE_LIB = \""
+                              (assoc-ref inputs "pcre2")
+                              "/lib/libpcre2-8.so" "\"")))
             #t))
          (add-before 'build 'fix-include-and-link-paths
           (lambda* (#:key inputs #:allow-other-keys)
@@ -153,10 +203,6 @@
                               (assoc-ref %build-inputs "libuv")
                               "/lib/libuv.so ")))
 
-            (substitute* "deps/Makefile"
-              (("/usr/include/double-conversion")
-               (string-append (assoc-ref %build-inputs "double-conversion")
-                              "/include/double-conversion")))
             (substitute* "base/Makefile"
               (("\\$\\(build_includedir\\)/uv-errno.h")
                (string-append (assoc-ref inputs "libuv")
@@ -176,15 +222,13 @@
          (add-before 'check 'disable-broken-tests
            (lambda _
              (substitute* "test/choosetests.jl"
-               ;; These tests time out.  See
-               ;; https://github.com/JuliaLang/julia/issues/14374 for ongoing
-               ;; discussion.
-               (("\"replcompletions\",") "")
-               (("\"repl\",") ""))
-             (substitute* "test/repl.jl"
-               ;; This test fails because we cannot escape the build
-               ;; directory.
-               (("@test pwd\\(\\) == homedir\\(\\)") "#"))
+               ;; These tests fail, probably because some of the input
+               ;; binaries have been stripped and thus backtraces don't look
+               ;; as expected.
+               (("\"backtrace\",") "")
+               (("\"compile\",") "")
+               (("\"replutil\",") "")
+               (("\"cmdlineargs\",") ""))
              #t)))
        #:make-flags
        (list
@@ -203,9 +247,6 @@
         "CONFIG_SHELL=bash"     ;needed to build bundled libraries
         "USE_SYSTEM_DSFMT=0"    ;not packaged for Guix and upstream has no
                                 ;build system for a shared library.
-        "USE_SYSTEM_RMATH=0"    ;Julia uses a bundled version of R's math
-                                ;library, patched to use the DSFMT RNG.
-
         "USE_SYSTEM_LAPACK=1"
         "USE_SYSTEM_BLAS=1"
         "USE_BLAS64=0"          ;needed when USE_SYSTEM_BLAS=1
@@ -222,7 +263,6 @@
         ;;                "/include")
 
         "USE_GPL_LIBS=1"        ;proudly
-        "USE_SYSTEM_GRISU=1"    ;for double-conversion
         "USE_SYSTEM_UTF8PROC=1"
         (string-append "UTF8PROC_INC="
                        (assoc-ref %build-inputs "utf8proc")
@@ -245,15 +285,14 @@
         "USE_SYSTEM_LIBGIT2=1"
         "USE_SYSTEM_OPENSPECFUN=1")))
     (inputs
-     `(("llvm" ,llvm-3.5)
+     `(("llvm" ,llvm)
        ("arpack-ng" ,arpack-ng)
        ("coreutils" ,coreutils) ;for bindings to "mkdir" and the like
        ("lapack" ,lapack)
        ("openblas" ,openblas) ;Julia does not build with Atlas
-       ("libunwind" ,libunwind)
+       ("libunwind" ,libunwind-for-julia)
        ("openlibm" ,openlibm)
        ("openspecfun" ,openspecfun)
-       ("double-conversion" ,double-conversion)
        ("libgit2" ,libgit2)
        ("fftw" ,fftw)
        ("fftwf" ,fftwf)
@@ -266,24 +305,19 @@
        ("which" ,which)
        ("zlib" ,zlib)
        ("gmp" ,gmp)
+       ("virtualenv" ,python2-virtualenv)
        ;; FIXME: The following inputs are downloaded from upstream to allow us
        ;; to use the lightweight Julia release tarball.  Ideally, these inputs
        ;; would eventually be replaced with proper Guix packages.
-       ("rmath-julia"
-        ,(origin
-           (method url-fetch)
-           (uri "https://api.github.com/repos/JuliaLang/Rmath-julia/tarball/v0.1")
-           (file-name "rmath-julia-0.1.tar.gz")
-           (sha256
-            (base32
-             "0ai5dhjc43zcvangz123ryxmlbm51s21rg13bllwyn98w67arhb4"))))
+
+       ;; TODO: run "make -f contrib/repackage_system_suitesparse4.make" to copy static lib
        ("suitesparse"
         ,(origin
            (method url-fetch)
-           (uri "http://faculty.cse.tamu.edu/davis/SuiteSparse/SuiteSparse-4.4.2.tar.gz")
+           (uri "http://faculty.cse.tamu.edu/davis/SuiteSparse/SuiteSparse-4.4.5.tar.gz")
            (sha256
             (base32
-             "1dg0qsv07n71nbn9cgcvn73933rgy1jnxw5bfqkwfq3bidk44cqc"))))
+             "1jcbxb8jx5wlcixzf6n5dca2rcfx6mlcms1k2rl5gp67ay3bix43"))))
        ("objconv"
         ,(origin
            (method url-fetch)
@@ -299,18 +333,10 @@
                  "SFMT/dSFMT-src-2.2.3.tar.gz"))
            (sha256
             (base32
-             "03kaqbjbi6viz0n33dk5jlf6ayxqlsq4804n7kwkndiga9s4hd42"))))
-       ("virtualenv"
-        ,(origin
-           (method url-fetch)
-           (uri (string-append "https://pypi.python.org/packages/24/cc/"
-                               "a3cdf0a49ffcaef483b7e2511476aa520cf7260c199a6928fda6c43ba916/"
-                               "virtualenv-1.11.6.tar.gz"))
-           (sha256
-            (base32
-             "1xq4prmg25n9cz5zcvbqx68lmc3kl39by582vd8pzs9f3qalqyiy"))))))
+             "03kaqbjbi6viz0n33dk5jlf6ayxqlsq4804n7kwkndiga9s4hd42"))))))
     (native-inputs
-     `(("perl" ,perl)
+     `(("openssl" ,openssl)
+       ("perl" ,perl)
        ("patchelf" ,patchelf)
        ("pkg-config" ,pkg-config)
        ("python" ,python-2)))
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 8f4a6c9f61..e02e4f4cdc 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -710,7 +710,7 @@ and to return information on pronunciations, meanings and synonyms.")
 (define-public libreoffice
   (package
     (name "libreoffice")
-    (version "5.1.4.2")
+    (version "5.1.5.2")
     (source
      (origin
       (method url-fetch)
@@ -719,7 +719,7 @@ and to return information on pronunciations, meanings and synonyms.")
           "http://download.documentfoundation.org/libreoffice/src/"
           (version-prefix version 3) "/libreoffice-" version ".tar.xz"))
       (sha256 (base32
-               "11c30y9gvsy5h3nh9pnciq57gi99plrmr6qp8hhdk2l5xmwlmrfa"))))
+               "1qg0dj0zwh5ifhmvv4k771nmyqddz4ifn75s9mr1p0nyix8zks8x"))))
     (build-system gnu-build-system)
     (native-inputs
      `(;; autoreconf is run by the LibreOffice build system, since after
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 64e8bfbf06..c6de8fa651 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -321,14 +321,14 @@ It has been modified to remove all non-free binary blobs.")
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
 (define-public linux-libre
-  (make-linux-libre "4.7.5"
-                    "1v5xzagc7zmf0dszq623h83rzhn2qwcapg2fwlihrrb6h9317xqx"
+  (make-linux-libre "4.7.6"
+                    "0716lpzq3w2pdc0nrrx06gqzdfzhkrjq7g37v4ws9wjlzak8hkvy"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.22"
-                    "0pwqp5hain26p3wmiqgq3qasyp4j7nl2ai49sq2n8xdi3g2vnmii"
+  (make-linux-libre "4.4.23"
+                    "07akixpxlcrpfsadnppyk2hbggqf7j2hzlkg56k0yh3dhyglxv86"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
@@ -339,8 +339,8 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 ;; Avoid rebuilding kernel variants when there is a minor version bump.
-(define %linux-libre-version "4.7.5")
-(define %linux-libre-hash "1v5xzagc7zmf0dszq623h83rzhn2qwcapg2fwlihrrb6h9317xqx")
+(define %linux-libre-version "4.7.6")
+(define %linux-libre-hash "0716lpzq3w2pdc0nrrx06gqzdfzhkrjq7g37v4ws9wjlzak8hkvy")
 
 (define-public linux-libre-arm-generic
   (make-linux-libre %linux-libre-version
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index d2410c6106..30b538d630 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -109,6 +109,17 @@ algorithms AES or Twofish.")
                (base32
                 "1y43yhgy2zbrk5bqj3qyx9rkcz2bma9sinlrg7dip3jqms9gq4lr"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-after 'install 'wrap-shroud
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out       (assoc-ref outputs "out"))
+                    (ccachedir (string-append out "/lib/guile/2.0/ccache"))
+                    (prog      (string-append out "/bin/shroud")))
+               (wrap-program prog
+                 `("GUILE_LOAD_COMPILED_PATH" ":" prefix (,ccachedir)))
+               #t))))))
     (inputs
      `(("guile" ,guile-2.0)
        ("gnupg" ,gnupg)
diff --git a/gnu/packages/patches/gd-CVE-2016-7568.patch b/gnu/packages/patches/gd-CVE-2016-7568.patch
new file mode 100644
index 0000000000..6a1a63296c
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-7568.patch
@@ -0,0 +1,44 @@
+Fix CVE-2016-7568 (integer overflow in gdImageWebpCtx()):
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568
+
+Patch copied from upstream source repository:
+
+https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f
+
+From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
+From: trylab <trylab@users.noreply.github.com>
+Date: Tue, 6 Sep 2016 18:35:32 +0800
+Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
+
+Integer overflow can be happened in expression gdImageSX(im) * 4 *
+gdImageSY(im). It could lead to heap buffer overflow in the following
+code. This issue has been reported to the PHP Bug Tracking System. The
+proof-of-concept file will be supplied some days later. This issue was
+discovered by Ke Liu of Tencent's Xuanwu LAB.
+---
+ src/gd_webp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index 8eb4dee..9886399 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ 		quality = 80;
+ 	}
+ 
++	if (overflow2(gdImageSX(im), 4)) {
++		return;
++	}
++
++	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
++		return;
++	}
++
+ 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
+ 	if (!argb) {
+ 		return;
+-- 
+2.10.0
+
diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
new file mode 100644
index 0000000000..bef628f0a8
--- /dev/null
+++ b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
@@ -0,0 +1,77 @@
+Fix buffer overflow reading 7Zip files:
+
+https://github.com/libarchive/libarchive/issues/761
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
+
+From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 18 Sep 2016 18:14:58 -0700
+Subject: [PATCH] Issue 761:  Heap overflow reading corrupted 7Zip files
+
+The sample file that demonstrated this had multiple 'EmptyStream'
+attributes.  The first one ended up being used to calculate
+certain statistics, then was overwritten by the second which
+was incompatible with those statistics.
+
+The fix here is to reject any header with multiple EmptyStream
+attributes.  While here, also reject headers with multiple
+EmptyFile, AntiFile, Name, or Attributes markers.
+---
+ libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index 1dfe52b..c0a536c 100644
+--- a/libarchive/archive_read_support_format_7zip.c
++++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 
+ 		switch (type) {
+ 		case kEmptyStream:
++			if (h->emptyStreamBools != NULL)
++				return (-1);
+ 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
+ 			    sizeof(*h->emptyStreamBools));
+ 			if (h->emptyStreamBools == NULL)
+@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 					return (-1);
+ 				break;
+ 			}
++			if (h->emptyFileBools != NULL)
++				return (-1);
+ 			h->emptyFileBools = calloc(empty_streams,
+ 			    sizeof(*h->emptyFileBools));
+ 			if (h->emptyFileBools == NULL)
+@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 					return (-1);
+ 				break;
+ 			}
++			if (h->antiBools != NULL)
++				return (-1);
+ 			h->antiBools = calloc(empty_streams,
+ 			    sizeof(*h->antiBools));
+ 			if (h->antiBools == NULL)
+@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 			if ((ll & 1) || ll < zip->numFiles * 4)
+ 				return (-1);
+ 
++			if (zip->entry_names != NULL)
++				return (-1);
+ 			zip->entry_names = malloc(ll);
+ 			if (zip->entry_names == NULL)
+ 				return (-1);
+@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 			if ((p = header_bytes(a, 2)) == NULL)
+ 				return (-1);
+ 			allAreDefined = *p;
++			if (h->attrBools != NULL)
++				return (-1);
+ 			h->attrBools = calloc((size_t)zip->numFiles,
+ 			    sizeof(*h->attrBools));
+ 			if (h->attrBools == NULL)
+-- 
+2.10.0
+
diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
new file mode 100644
index 0000000000..bce63d5e4e
--- /dev/null
+++ b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
@@ -0,0 +1,445 @@
+This patch fixes two bugs that allow attackers to overwrite or change
+the permissions of arbitrary files:
+
+https://github.com/libarchive/libarchive/issues/745
+https://github.com/libarchive/libarchive/issues/746
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
+
+From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 11 Sep 2016 13:21:57 -0700
+Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert.
+
+---
+ libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++--------
+ 1 file changed, 227 insertions(+), 67 deletions(-)
+
+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
+index 8f0421e..abe1a86 100644
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -326,12 +326,14 @@ struct archive_write_disk {
+ 
+ #define HFS_BLOCKS(s)	((s) >> 12)
+ 
++static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
+ static int	check_symlinks(struct archive_write_disk *);
+ static int	create_filesystem_object(struct archive_write_disk *);
+ static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
+ #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
+ static void	edit_deep_directories(struct archive_write_disk *ad);
+ #endif
++static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
+ static int	cleanup_pathname(struct archive_write_disk *);
+ static int	create_dir(struct archive_write_disk *, char *);
+ static int	create_parent_dir(struct archive_write_disk *, char *);
+@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a)
+ 	const char *linkname;
+ 	mode_t final_mode, mode;
+ 	int r;
++	/* these for check_symlinks_fsobj */
++	char *linkname_copy;	/* non-const copy of linkname */
++	struct archive_string error_string;
++	int error_number;
+ 
+ 	/* We identify hard/symlinks according to the link names. */
+ 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
+@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a)
+ #if !HAVE_LINK
+ 		return (EPERM);
+ #else
++		archive_string_init(&error_string);
++		linkname_copy = strdup(linkname);
++		if (linkname_copy == NULL) {
++		    return (EPERM);
++		}
++		/* TODO: consider using the cleaned-up path as the link target? */
++		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
++		if (r != ARCHIVE_OK) {
++			archive_set_error(&a->archive, error_number, "%s", error_string.s);
++			free(linkname_copy);
++			/* EPERM is more appropriate than error_number for our callers */
++			return (EPERM);
++		}
++		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
++		if (r != ARCHIVE_OK) {
++			archive_set_error(&a->archive, error_number, "%s", error_string.s);
++			free(linkname_copy);
++			/* EPERM is more appropriate than error_number for our callers */
++			return (EPERM);
++		}
++		free(linkname_copy);
+ 		r = link(linkname, a->name) ? errno : 0;
+ 		/*
+ 		 * New cpio and pax formats allow hardlink entries
+@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname)
+  * recent paths.
+  */
+ /* TODO: Extend this to support symlinks on Windows Vista and later. */
++
++/*
++ * Checks the given path to see if any elements along it are symlinks.  Returns
++ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg.
++ */
+ static int
+-check_symlinks(struct archive_write_disk *a)
++check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
+ {
+ #if !defined(HAVE_LSTAT)
+ 	/* Platform doesn't have lstat, so we can't look for symlinks. */
+ 	(void)a; /* UNUSED */
++	(void)path; /* UNUSED */
++	(void)error_number; /* UNUSED */
++	(void)error_string; /* UNUSED */
++	(void)flags; /* UNUSED */
+ 	return (ARCHIVE_OK);
+ #else
+-	char *pn;
++	int res = ARCHIVE_OK;
++	char *tail;
++	char *head;
++	int last;
+ 	char c;
+ 	int r;
+ 	struct stat st;
++	int restore_pwd;
++
++	/* Nothing to do here if name is empty */
++	if(path[0] == '\0')
++	    return (ARCHIVE_OK);
+ 
+ 	/*
+ 	 * Guard against symlink tricks.  Reject any archive entry whose
+ 	 * destination would be altered by a symlink.
++	 *
++	 * Walk the filename in chunks separated by '/'.  For each segment:
++	 *  - if it doesn't exist, continue
++	 *  - if it's symlink, abort or remove it
++	 *  - if it's a directory and it's not the last chunk, cd into it
++	 * As we go:
++	 *  head points to the current (relative) path
++	 *  tail points to the temporary \0 terminating the segment we're currently examining
++	 *  c holds what used to be in *tail
++	 *  last is 1 if this is the last tail
+ 	 */
+-	/* Whatever we checked last time doesn't need to be re-checked. */
+-	pn = a->name;
+-	if (archive_strlen(&(a->path_safe)) > 0) {
+-		char *p = a->path_safe.s;
+-		while ((*pn != '\0') && (*p == *pn))
+-			++p, ++pn;
+-	}
++	restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC);
++	__archive_ensure_cloexec_flag(restore_pwd);
++	if (restore_pwd < 0)
++		return (ARCHIVE_FATAL);
++	head = path;
++	tail = path;
++	last = 0;
++	/* TODO: reintroduce a safe cache here? */
+ 	/* Skip the root directory if the path is absolute. */
+-	if(pn == a->name && pn[0] == '/')
+-		++pn;
+-	c = pn[0];
+-	/* Keep going until we've checked the entire name. */
+-	while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) {
++	if(tail == path && tail[0] == '/')
++		++tail;
++	/* Keep going until we've checked the entire name.
++	 * head, tail, path all alias the same string, which is
++	 * temporarily zeroed at tail, so be careful restoring the
++	 * stashed (c=tail[0]) for error messages.
++	 * Exiting the loop with break is okay; continue is not.
++	 */
++	while (!last) {
++		/* Skip the separator we just consumed, plus any adjacent ones */
++		while (*tail == '/')
++		    ++tail;
+ 		/* Skip the next path element. */
+-		while (*pn != '\0' && *pn != '/')
+-			++pn;
+-		c = pn[0];
+-		pn[0] = '\0';
++		while (*tail != '\0' && *tail != '/')
++			++tail;
++		/* is this the last path component? */
++		last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0');
++		/* temporarily truncate the string here */
++		c = tail[0];
++		tail[0] = '\0';
+ 		/* Check that we haven't hit a symlink. */
+-		r = lstat(a->name, &st);
++		r = lstat(head, &st);
+ 		if (r != 0) {
++			tail[0] = c;
+ 			/* We've hit a dir that doesn't exist; stop now. */
+ 			if (errno == ENOENT) {
+ 				break;
+ 			} else {
+-				/* Note: This effectively disables deep directory
++				/* Treat any other error as fatal - best to be paranoid here
++				 * Note: This effectively disables deep directory
+ 				 * support when security checks are enabled.
+ 				 * Otherwise, very long pathnames that trigger
+ 				 * an error here could evade the sandbox.
+ 				 * TODO: We could do better, but it would probably
+ 				 * require merging the symlink checks with the
+ 				 * deep-directory editing. */
+-				return (ARCHIVE_FAILED);
++				if (error_number) *error_number = errno;
++				if (error_string)
++					archive_string_sprintf(error_string,
++							"Could not stat %s",
++							path);
++				res = ARCHIVE_FAILED;
++				break;
++			}
++		} else if (S_ISDIR(st.st_mode)) {
++			if (!last) {
++				if (chdir(head) != 0) {
++					tail[0] = c;
++					if (error_number) *error_number = errno;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Could not chdir %s",
++								path);
++					res = (ARCHIVE_FATAL);
++					break;
++				}
++				/* Our view is now from inside this dir: */
++				head = tail + 1;
+ 			}
+ 		} else if (S_ISLNK(st.st_mode)) {
+-			if (c == '\0') {
++			if (last) {
+ 				/*
+ 				 * Last element is symlink; remove it
+ 				 * so we can overwrite it with the
+ 				 * item being extracted.
+ 				 */
+-				if (unlink(a->name)) {
+-					archive_set_error(&a->archive, errno,
+-					    "Could not remove symlink %s",
+-					    a->name);
+-					pn[0] = c;
+-					return (ARCHIVE_FAILED);
++				if (unlink(head)) {
++					tail[0] = c;
++					if (error_number) *error_number = errno;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Could not remove symlink %s",
++								path);
++					res = ARCHIVE_FAILED;
++					break;
+ 				}
+-				a->pst = NULL;
+ 				/*
+ 				 * Even if we did remove it, a warning
+ 				 * is in order.  The warning is silly,
+ 				 * though, if we're just replacing one
+ 				 * symlink with another symlink.
+ 				 */
+-				if (!S_ISLNK(a->mode)) {
+-					archive_set_error(&a->archive, 0,
+-					    "Removing symlink %s",
+-					    a->name);
++				tail[0] = c;
++				/* FIXME:  not sure how important this is to restore
++				if (!S_ISLNK(path)) {
++					if (error_number) *error_number = 0;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Removing symlink %s",
++								path);
+ 				}
++				*/
+ 				/* Symlink gone.  No more problem! */
+-				pn[0] = c;
+-				return (0);
+-			} else if (a->flags & ARCHIVE_EXTRACT_UNLINK) {
++				res = ARCHIVE_OK;
++				break;
++			} else if (flags & ARCHIVE_EXTRACT_UNLINK) {
+ 				/* User asked us to remove problems. */
+-				if (unlink(a->name) != 0) {
+-					archive_set_error(&a->archive, 0,
+-					    "Cannot remove intervening symlink %s",
+-					    a->name);
+-					pn[0] = c;
+-					return (ARCHIVE_FAILED);
++				if (unlink(head) != 0) {
++					tail[0] = c;
++					if (error_number) *error_number = 0;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Cannot remove intervening symlink %s",
++								path);
++					res = ARCHIVE_FAILED;
++					break;
+ 				}
+-				a->pst = NULL;
++				tail[0] = c;
+ 			} else {
+-				archive_set_error(&a->archive, 0,
+-				    "Cannot extract through symlink %s",
+-				    a->name);
+-				pn[0] = c;
+-				return (ARCHIVE_FAILED);
++				tail[0] = c;
++				if (error_number) *error_number = 0;
++				if (error_string)
++					archive_string_sprintf(error_string,
++							"Cannot extract through symlink %s",
++							path);
++				res = ARCHIVE_FAILED;
++				break;
+ 			}
+ 		}
+-		pn[0] = c;
+-		if (pn[0] != '\0')
+-			pn++; /* Advance to the next segment. */
++		/* be sure to always maintain this */
++		tail[0] = c;
++		if (tail[0] != '\0')
++			tail++; /* Advance to the next segment. */
+ 	}
+-	pn[0] = c;
+-	/* We've checked and/or cleaned the whole path, so remember it. */
+-	archive_strcpy(&a->path_safe, a->name);
+-	return (ARCHIVE_OK);
++	/* Catches loop exits via break */
++	tail[0] = c;
++#ifdef HAVE_FCHDIR
++	/* If we changed directory above, restore it here. */
++	if (restore_pwd >= 0) {
++		r = fchdir(restore_pwd);
++		if (r != 0) {
++			if(error_number) *error_number = errno;
++			if(error_string)
++				archive_string_sprintf(error_string,
++						"chdir() failure");
++		}
++		close(restore_pwd);
++		restore_pwd = -1;
++		if (r != 0) {
++			res = (ARCHIVE_FATAL);
++		}
++	}
++#endif
++	/* TODO: reintroduce a safe cache here? */
++	return res;
+ #endif
+ }
+ 
++/*
++ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise
++ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED}
++ */
++static int
++check_symlinks(struct archive_write_disk *a)
++{
++	struct archive_string error_string;
++	int error_number;
++	int rc;
++	archive_string_init(&error_string);
++	rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags);
++	if (rc != ARCHIVE_OK) {
++		archive_set_error(&a->archive, error_number, "%s", error_string.s);
++	}
++	archive_string_free(&error_string);
++	a->pst = NULL;	/* to be safe */
++	return rc;
++}
++
++
+ #if defined(__CYGWIN__)
+ /*
+  * 1. Convert a path separator from '\' to '/' .
+@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a)
+  * is set) if the path is absolute.
+  */
+ static int
+-cleanup_pathname(struct archive_write_disk *a)
++cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
+ {
+ 	char *dest, *src;
+ 	char separator = '\0';
+ 
+-	dest = src = a->name;
++	dest = src = path;
+ 	if (*src == '\0') {
+-		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+-		    "Invalid empty pathname");
++		if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
++		if (error_string)
++		    archive_string_sprintf(error_string,
++			    "Invalid empty pathname");
+ 		return (ARCHIVE_FAILED);
+ 	}
+ 
+@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a)
+ #endif
+ 	/* Skip leading '/'. */
+ 	if (*src == '/') {
+-		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
+-			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+-			                  "Path is absolute");
++		if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
++			if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
++			if (error_string)
++			    archive_string_sprintf(error_string,
++				    "Path is absolute");
+ 			return (ARCHIVE_FAILED);
+ 		}
+ 
+@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a)
+ 			} else if (src[1] == '.') {
+ 				if (src[2] == '/' || src[2] == '\0') {
+ 					/* Conditionally warn about '..' */
+-					if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
+-						archive_set_error(&a->archive,
+-						    ARCHIVE_ERRNO_MISC,
+-						    "Path contains '..'");
++					if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
++						if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
++						if (error_string)
++						    archive_string_sprintf(error_string,
++							    "Path contains '..'");
+ 						return (ARCHIVE_FAILED);
+ 					}
+ 				}
+@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a)
+ 	 * We've just copied zero or more path elements, not including the
+ 	 * final '/'.
+ 	 */
+-	if (dest == a->name) {
++	if (dest == path) {
+ 		/*
+ 		 * Nothing got copied.  The path must have been something
+ 		 * like '.' or '/' or './' or '/././././/./'.
+@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a)
+ 	return (ARCHIVE_OK);
+ }
+ 
++static int
++cleanup_pathname(struct archive_write_disk *a)
++{
++	struct archive_string error_string;
++	int error_number;
++	int rc;
++	archive_string_init(&error_string);
++	rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags);
++	if (rc != ARCHIVE_OK) {
++		archive_set_error(&a->archive, error_number, "%s", error_string.s);
++	}
++	archive_string_free(&error_string);
++	return rc;
++}
++
+ /*
+  * Create the parent directory of the specified path, assuming path
+  * is already in mutable storage.
diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch
new file mode 100644
index 0000000000..f042c31a84
--- /dev/null
+++ b/gnu/packages/patches/libarchive-fix-symlink-check.patch
@@ -0,0 +1,60 @@
+Make sure to check for symlinks even if the pathname is very long:
+
+https://github.com/libarchive/libarchive/issues/744
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
+
+From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 21 Aug 2016 17:11:45 -0700
+Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
+ long pathnames
+
+Because check_symlinks is handled separately from the deep-directory
+support, very long pathnames cause problems.  Previously, the code
+ignored most failures to lstat() a path component.  In particular,
+this led to check_symlinks always passing for very long paths, which
+in turn provides a way to evade the symlink checks in the sandboxing
+code.
+
+We now fail on unrecognized lstat() failures, which plugs this
+hole at the cost of disabling deep directory support when the
+user requests sandboxing.
+
+TODO:  This probably cannot be completely fixed without
+entirely reimplementing the deep directory support to
+integrate the symlink checks.  I want to reimplement the
+deep directory hanlding someday anyway; openat() and
+related system calls now provide a much cleaner way to
+handle deep directories than the chdir approach used by this
+code.
+---
+ libarchive/archive_write_disk_posix.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
+index 39ee3b6..8f0421e 100644
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
+ 		r = lstat(a->name, &st);
+ 		if (r != 0) {
+ 			/* We've hit a dir that doesn't exist; stop now. */
+-			if (errno == ENOENT)
++			if (errno == ENOENT) {
+ 				break;
++			} else {
++				/* Note: This effectively disables deep directory
++				 * support when security checks are enabled.
++				 * Otherwise, very long pathnames that trigger
++				 * an error here could evade the sandbox.
++				 * TODO: We could do better, but it would probably
++				 * require merging the symlink checks with the
++				 * deep-directory editing. */
++				return (ARCHIVE_FAILED);
++			}
+ 		} else if (S_ISLNK(st.st_mode)) {
+ 			if (c == '\0') {
+ 				/*
diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
new file mode 100644
index 0000000000..0e70ac90ce
--- /dev/null
+++ b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
@@ -0,0 +1,44 @@
+Fixes this buffer overflow:
+https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
+
+Patch copied from upstream source repository:
+https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
+
+From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 21 Aug 2016 10:51:43 -0700
+Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
+
+The safe_fprintf function attempts to ensure clean output for an
+arbitrary sequence of bytes by doing a trial conversion of the
+multibyte characters to wide characters -- if the resulting wide
+character is printable then we pass through the corresponding bytes
+unaltered, otherwise, we convert them to C-style ASCII escapes.
+
+The stack trace in Issue #767 suggest that the 20-byte buffer
+was getting overflowed trying to format a non-printable multibyte
+character.  This should only happen if there is a valid multibyte
+character of more than 5 bytes that was unprintable.  (Each byte
+would get expanded to a four-charcter octal-style escape of the form
+"\123" resulting in >20 characters for the >5 byte multibyte character.)
+
+I've not been able to reproduce this, but have expanded the conversion
+buffer to 128 bytes on the belief that no multibyte character set
+has a single character of more than 32 bytes.
+---
+ tar/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tar/util.c b/tar/util.c
+index 9ff22f2..2b4aebe 100644
+--- a/tar/util.c
++++ b/tar/util.c
+@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
+ 		}
+ 
+ 		/* If our output buffer is full, dump it and keep going. */
+-		if (i > (sizeof(outbuff) - 20)) {
++		if (i > (sizeof(outbuff) - 128)) {
+ 			outbuff[i] = '\0';
+ 			fprintf(f, "%s", outbuff);
+ 			i = 0;
diff --git a/gnu/packages/patches/quickswitch-fix-dmenu-check.patch b/gnu/packages/patches/quickswitch-fix-dmenu-check.patch
new file mode 100644
index 0000000000..9c6cca47c6
--- /dev/null
+++ b/gnu/packages/patches/quickswitch-fix-dmenu-check.patch
@@ -0,0 +1,32 @@
+Fix check for dmenu (open file mode, dependency on which).
+
+See <https://github.com/proxypoke/quickswitch-for-i3/pull/24>.
+
+--- quickswitch-i3-2.2/quickswitch.py	2016-09-18 19:59:10.257765542 +0200
++++ quickswitch-i3-2.2/quickswitch.py	2016-09-21 10:43:01.277577819 +0200
+@@ -24,9 +24,10 @@
+ 
+ import argparse
+ import subprocess
+-import os
+ import re
+ 
++from distutils.spawn import find_executable
++
+ try:
+     import i3
+ except ImportError:
+@@ -37,11 +38,8 @@
+ 
+ def check_dmenu():
+     '''Check if dmenu is available.'''
+-    devnull = open(os.devnull)
+-    retcode = subprocess.call(["which", "dmenu"],
+-                              stdout=devnull,
+-                              stderr=devnull)
+-    return True if retcode == 0 else False
++    executable = find_executable("dmenu")
++    return executable != None
+ 
+ 
+ def dmenu(options, dmenu):
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index c165f99d4c..272fff7430 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -281,8 +281,18 @@ ksh, and tcsh.")
         (uri (pypi-uri "xonsh" version))
         (sha256
           (base32
-            "0byxd9kjl99q2pyvjh9jy18l0di1i35wr0qqgnw4i6jh6ig3zcki"))))
+            "0byxd9kjl99q2pyvjh9jy18l0di1i35wr0qqgnw4i6jh6ig3zcki"))
+        (modules '((guix build utils)))
+        (snippet
+         `(begin
+            ;; Delete bundled ply.
+            (delete-file-recursively "xonsh/ply")
+            (substitute* '("setup.py")
+              (("'xonsh\\.ply',") ""))
+            #t))))
     (build-system python-build-system)
+    (inputs
+     `(("python-ply" ,python-ply)))
     (home-page "http://xon.sh/")
     (synopsis "Python-ish shell")
     (description
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index 1bc5aa78ff..79fb0427fd 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -3042,6 +3042,31 @@ black-and-white.  They are also designed to be perceived by readers with the
 most common form of color blindness.")
     (license license:x11)))
 
+(define-public r-viridislite
+  (package
+    (name "r-viridislite")
+    (version "0.1.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "viridisLite" version))
+       (sha256
+        (base32
+         "1b0fhj8i1m9jsz91gzag60k7vy7kk5xkdg31rc3h3spq96l66psp"))))
+    (properties `((upstream-name . "viridisLite")))
+    (build-system r-build-system)
+    (home-page "https://github.com/sjmgarnier/viridisLite")
+    (synopsis "Default color maps from matplotlib")
+    (description
+     "This package is a port of the new @code{matplotlib} color maps ('viridis',
+'magma', 'plasma' and 'inferno') to R.  matplotlib is a popular plotting
+library for Python.  These color maps are designed in such a way that they
+will analytically be perfectly perceptually-uniform, both in regular form and
+also when converted to black-and-white.  They are also designed to be
+perceived by readers with the most common form of color blindness.  This is
+the 'lite' version of the more complete @code{viridis} package.")
+    (license license:expat)))
+
 (define-public r-tidyr
   (package
     (name "r-tidyr")
@@ -3094,30 +3119,58 @@ and tidyr provides no margins or aggregation.")
 It uses and relies on grid graphics and formal (S4) classes and methods.")
     (license license:gpl2+)))
 
+(define-public r-purrr
+  (package
+    (name "r-purrr")
+    (version "0.2.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "purrr" version))
+       (sha256
+        (base32
+         "0lss8q733nv7s154wargm6vnxq55qygnxakib8xdj4jv0y86sxc3"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-bh" ,r-bh)
+       ("r-dplyr" ,r-dplyr)
+       ("r-lazyeval" ,r-lazyeval)
+       ("r-magrittr" ,r-magrittr)
+       ("r-rcpp" ,r-rcpp)))
+    (home-page "https://github.com/hadley/purrr")
+    (synopsis "Functional programming tools")
+    (description
+     "This package completes R's functional programming tools with missing
+features present in other programming languages.")
+    (license license:gpl3+)))
+
 (define-public r-plotly
   (package
     (name "r-plotly")
-    (version "3.6.0")
+    (version "4.5.2")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "plotly" version))
               (sha256
                (base32
-                "15hvqa0sf4z6l6vvr614zjszfphwpv66zpc665iyiynq0pd1jv2c"))))
+                "08shs0qhy9js0fpj3d4rzfbwmw11ki3z5vg8jszfm6m69mfkgzw1"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-base64enc" ,r-base64enc)
        ("r-digest" ,r-digest)
+       ("r-dplyr" ,r-dplyr)
        ("r-ggplot2" ,r-ggplot2)
        ("r-hexbin" ,r-hexbin)
        ("r-htmlwidgets" ,r-htmlwidgets)
        ("r-httr" ,r-httr)
        ("r-jsonlite" ,r-jsonlite)
+       ("r-lazyeval" ,r-lazyeval)
        ("r-magrittr" ,r-magrittr)
-       ("r-plyr" ,r-plyr)
+       ("r-purrr" ,r-purrr)
        ("r-scales" ,r-scales)
+       ("r-tibble" ,r-tibble)
        ("r-tidyr" ,r-tidyr)
-       ("r-viridis" ,r-viridis)))
+       ("r-viridislite" ,r-viridislite)))
     (home-page "https://plot.ly/r")
     (synopsis "Create interactive web graphics")
     (description
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index c4479fbde9..a9725b47d3 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -102,7 +102,7 @@ libenca and several charset conversion libraries and tools.")
 (define-public utf8proc
   (package
     (name "utf8proc")
-    (version "1.3.1")
+    (version "2.0.2")
     (source
      (origin
        (method url-fetch)
@@ -111,7 +111,7 @@ libenca and several charset conversion libraries and tools.")
              version ".tar.gz"))
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
-        (base32 "1k48as5kjkar4yj3dwxyll8ykj4k723ib5a6mnw1g86q3zi0zdl3"))))
+        (base32 "140vib1m6n5kwzkw1n9fbsi5gl6xymbd7yndwqx1sj15aakak776"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f ;no "check" target
@@ -124,7 +124,7 @@ libenca and several charset conversion libraries and tools.")
     (synopsis "C library for processing UTF-8 Unicode data")
     (description "utf8proc is a small C library that provides Unicode
 normalization, case-folding, and other operations for data in the UTF-8
-encoding, supporting Unicode version 7.0.")
+encoding, supporting Unicode version 9.0.0.")
     (license license:expat)))
 
 (define-public libgtextutils
diff --git a/gnu/packages/tmux.scm b/gnu/packages/tmux.scm
index e4f3b45d68..c6a9ca8cae 100644
--- a/gnu/packages/tmux.scm
+++ b/gnu/packages/tmux.scm
@@ -32,7 +32,7 @@
 (define-public tmux
   (package
     (name "tmux")
-    (version "2.2")
+    (version "2.3")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -40,7 +40,7 @@
                     version "/tmux-" version ".tar.gz"))
              (sha256
               (base32
-               "1r0riry5vw604hc21087ffbkqgr6j4ia1rrsivz2k6grchdm8a5w"))))
+               "0aw5fcav8pa70ym391n4g6mh5vir34x35xhb09zdwhhg5w9kwcam"))))
     (build-system gnu-build-system)
     (inputs
      `(("libevent" ,libevent)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 4a4a3461d4..064a39b829 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -403,14 +403,14 @@ standards (MPEG-2, MPEG-4 ASP/H.263, MPEG-4 AVC/H.264, and VC-1/VMW3).")
 (define-public ffmpeg
   (package
     (name "ffmpeg")
-    (version "3.1.3")
+    (version "3.1.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "08l8290gipm632dhrqndnphdpkc5ncqc1j3hxdx46r1a3q3mqmzq"))))
+               "0nvb2k0maj5g8llfg47j8z5xpvp4q3g9pab2pp6vpjd5vmwb6358"))))
     (build-system gnu-build-system)
     (inputs
      `(("fontconfig" ,fontconfig)
diff --git a/gnu/packages/wm.scm b/gnu/packages/wm.scm
index 710a93397f..90d1dc1e33 100644
--- a/gnu/packages/wm.scm
+++ b/gnu/packages/wm.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Copyright © 2016 doncatnip <gnopap@gmail.com>
+;;; Copyright © 2016 Ivan Vilata i Balaguer <ivan@selidor.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -35,6 +36,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system haskell)
+  #:use-module (guix build-system python)
   #:use-module (gnu packages haskell)
   #:use-module (gnu packages base)
   #:use-module (gnu packages pkg-config)
@@ -59,6 +61,7 @@
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages imagemagick)
   #:use-module (gnu packages lua)
+  #:use-module (gnu packages suckless)
   #:use-module (guix download)
   #:use-module (guix git-download))
 
@@ -203,6 +206,92 @@ from scratch.  i3 is primarily targeted at advanced users and
 developers.")
     (license license:bsd-3)))
 
+(define-public python-i3-py
+  (package
+    (name "python-i3-py")
+    (version "0.6.5")
+    (source
+     (origin
+       ;; The latest release is not tagged in Git nor has an entry in PyPi,
+       ;; but there is still a clear commit for it, and it's been the last one
+       ;; for years.
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/ziberna/i3-py.git")
+             (commit "27f88a616e9ecc340e7d041d3d00782f8a1964c1")))
+       (sha256
+        (base32
+         "1nm719dc2xqlll7vj4c4m7mpjb27lpn3bg3c66gajvnrz2x1nmxs"))
+       (file-name (string-append name "-" version "-checkout"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f ; no tests yet
+       #:phases (modify-phases %standard-phases
+                  (add-after 'install 'install-doc
+                    ;; Copy readme file to documentation directory.
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((doc (string-append (assoc-ref outputs "out")
+                                                "/share/doc/" ,name)))
+                        (install-file "README.md" doc)
+                        ;; Avoid unspecified return value.
+                        #t))))))
+    (propagated-inputs
+     `(("i3-wm" ,i3-wm)))
+    (home-page "https://github.com/ziberna/i3-py")
+    (synopsis "Python interface to the i3 window manager")
+    (description "This package allows you to interact from a Python program
+with the i3 window manager via its IPC socket.  It can send commands and other
+kinds of messages to i3, select the affected containers, filter results and
+subscribe to events.")
+    (license license:gpl3+)))
+
+(define-public python2-i3-py
+  (package-with-python2 python-i3-py))
+
+(define-public quickswitch-i3
+  (let ((commit "ed692b1e8f43b95bd907ced26238ce8ccb2ed28f")
+        (revision "1")) ; Guix package revision
+    (package
+      (name "quickswitch-i3")
+      (version (string-append "2.2-" revision "."
+                              (string-take commit 7)))
+      (source
+       (origin
+         ;; The latest commit is a few years old and just a couple commits
+         ;; after the last tagged release, so we use that latest commit
+         ;; instead of the release.
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/proxypoke/quickswitch-for-i3.git")
+               (commit commit)))
+         (sha256
+          (base32
+           "0447077sama80jcdg5p64zjsvafmz5rbdrirhm1adcdjhkh6iqc5"))
+         (patches (search-patches "quickswitch-fix-dmenu-check.patch"))
+         (file-name (string-append name "-" version "-checkout"))))
+      (build-system python-build-system)
+      (arguments
+       `(#:tests? #f ; no tests yet
+         #:phases (modify-phases %standard-phases
+                    (add-after 'install 'install-doc
+                      ;; Copy readme file to documentation directory.
+                      (lambda* (#:key outputs #:allow-other-keys)
+                        (let ((doc (string-append (assoc-ref outputs "out")
+                                                  "/share/doc/" ,name)))
+                          (install-file "README.rst" doc)
+                          ;; Avoid unspecified return value.
+                          #t))))))
+      (inputs
+       `(("python-i3-py" ,python-i3-py)
+         ("dmenu" ,dmenu)))
+      (home-page "https://github.com/proxypoke/quickswitch-for-i3")
+      (synopsis "Quickly change to and locate windows in the i3 window manager")
+      (description
+       "This utility for the i3 window manager allows you to quickly switch to
+and locate windows on all your workspaces, using an interactive dmenu
+prompt.")
+      (license (license:non-copyleft "http://www.wtfpl.net/txt/copying/")))))
+
 (define-public xmonad
   (package
     (name "xmonad")
diff --git a/gnu/services/admin.scm b/gnu/services/admin.scm
new file mode 100644
index 0000000000..d8086b78d4
--- /dev/null
+++ b/gnu/services/admin.scm
@@ -0,0 +1,119 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of thye GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services admin)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages base)
+  #:use-module (gnu services)
+  #:use-module (gnu services mcron)
+  #:use-module (gnu services shepherd)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:use-module (guix records)
+  #:use-module (srfi srfi-1)
+  #:export (%default-rotations
+            %rotated-files
+            rottlog-configuration
+            rottlog-configuration?
+            rottlog-service
+            rottlog-service-type))
+
+;;; Commentary:
+;;;
+;;; This module implements configuration of rottlog by writing
+;;; /etc/rottlog/{rc,hourly|daily|weekly}.  Example usage
+;;;
+;;;     (mcron-service)
+;;;     (service rottlog-service-type (rottlog-configuration))
+;;;
+;;; Code:
+
+(define %rotated-files
+  ;; Syslog files subject to rotation.
+  '("/var/log/messages" "/var/log/secure" "/var/log/maillog"))
+
+(define (syslog-rotation-config files)
+  #~(string-append #$(string-join files ",")
+                 " {
+        sharedscripts
+        postrotate
+        " #$coreutils "/bin/kill -HUP $(cat /var/run/syslog.pid) 2> /dev/null
+        endscript
+}
+"))
+
+(define (simple-rotation-config file)
+  (string-append file " {
+        sharedscripts
+}
+"))
+
+(define %default-rotations
+  `(("weekly"
+     ,(computed-file "rottlog.weekly"
+                     #~(call-with-output-file #$output
+                         (lambda (port)
+                           (display #$(syslog-rotation-config %rotated-files)
+                                    port)
+                           (display #$(simple-rotation-config
+                                       "/var/log/shepherd.log")
+                                    port)))))))
+
+(define (default-jobs rottlog)
+  (list #~(job '(next-hour '(0))                  ;midnight
+               (lambda ()
+                 (system* #$(file-append rottlog "/sbin/rottlog"))))
+        #~(job '(next-hour '(12))                 ;noon
+               (lambda ()
+                 (system* #$(file-append rottlog "/sbin/rottlog"))))))
+
+(define-record-type* <rottlog-configuration>
+  rottlog-configuration make-rottlog-configuration
+  rottlog-configuration?
+  (rottlog            rottlog-rottlog             ;package
+                      (default rottlog))
+  (rc-file            rottlog-rc-file             ;file-like
+                      (default (file-append rottlog "/etc/rc")))
+  (periodic-rotations rottlog-periodic-rotations  ;list of (name file) tuples
+                      (default %default-rotations))
+  (jobs               rottlog-jobs                ;list of <mcron-job>
+                      (default #f)))
+
+(define (rottlog-etc config)
+  `(("rottlog" ,(file-union "rottlog"
+                            (cons `("rc" ,(rottlog-rc-file config))
+                                  (rottlog-periodic-rotations config))))))
+
+(define (rottlog-jobs-or-default config)
+  (or (rottlog-jobs config)
+      (default-jobs (rottlog-rottlog config))))
+
+(define rottlog-service-type
+  (service-type
+   (name 'rottlog)
+   (extensions (list (service-extension etc-service-type rottlog-etc)
+                     (service-extension mcron-service-type
+                                        rottlog-jobs-or-default)
+
+                     ;; Add Rottlog to the global profile so users can access
+                     ;; the documentation.
+                     (service-extension profile-service-type
+                                        (compose list rottlog-rottlog))))))
+
+;;; admin.scm ends here
diff --git a/gnu/services/nfs.scm b/gnu/services/nfs.scm
index 82713d8133..b1e1f53fb6 100644
--- a/gnu/services/nfs.scm
+++ b/gnu/services/nfs.scm
@@ -38,11 +38,11 @@
   (shepherd-service-type
    'rpcbind
    (lambda (config)
-     (define pkg
+     (define nfs-utils
        (rpcbind-configuration-rpcbind config))
 
      (define rpcbind-command
-       #~(list (string-append #$pkg "/bin/rpcbind") "-f"
+       #~(list (string-append #$nfs-utils "/bin/rpcbind") "-f"
                #$@(if (rpcbind-configuration-warm-start? config) '("-w") '())))
 
      (shepherd-service
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 084f8fa4ea..6da612da67 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -50,7 +50,6 @@
 ;;;
 ;;; Code:
 
-;; TODO: Export.
 (define-record-type* <lsh-configuration>
   lsh-configuration make-lsh-configuration
   lsh-configuration?
@@ -261,15 +260,24 @@ The other options should be self-descriptive."
 (define-record-type* <openssh-configuration>
   openssh-configuration make-openssh-configuration
   openssh-configuration?
-  (pid-file              openssh-configuration-pid-file) ;string
-  (port-number           openssh-configuration-port-number) ;integer
-  (permit-root-login     openssh-configuration-permit-root-login) ;Boolean | 'without-password
-  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean
-  (password-authentication? openssh-configuration-password-authentication?) ;Boolean
-  (pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean
-  (rsa-authentication?   openssh-configuration-rsa-authentication?) ;Boolean
-  (x11-forwarding?       openssh-configuration-x11-forwarding?) ;Boolean
-  (protocol-number       openssh-configuration-protocol-number)) ;integer
+  (pid-file              openssh-configuration-pid-file
+                         (default "/var/run/sshd.pid"))
+  (port-number           openssh-configuration-port-number ;integer
+                         (default 22))
+  (permit-root-login     openssh-configuration-permit-root-login ;Boolean | 'without-password
+                         (default #f))
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
+                          (default #f))
+  (password-authentication? openssh-configuration-password-authentication? ;Boolean
+                            (default #t))
+  (public-key-authentication? openssh-configuration-public-key-authentication?
+                              (default #t))                         ;Boolean
+  (rsa-authentication?   openssh-configuration-rsa-authentication?  ;Boolean
+                         (default #t))
+  (x11-forwarding?       openssh-configuration-x11-forwarding? ;Boolean
+                         (default #f))
+  (protocol-number       openssh-configuration-protocol-number ;integer
+                         (default 2)))
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -314,7 +322,7 @@ The other options should be self-descriptive."
                  #$(if (openssh-configuration-password-authentication? config)
                        "yes" "no"))
          (format port "PubkeyAuthentication ~a\n"
-                 #$(if (openssh-configuration-pubkey-authentication? config)
+                 #$(if (openssh-configuration-public-key-authentication? config)
                        "yes" "no"))
          (format port "RSAAuthentication ~a\n"
                  #$(if (openssh-configuration-rsa-authentication? config)
@@ -354,27 +362,6 @@ The other options should be self-descriptive."
                        (service-extension account-service-type
                                           (const %openssh-accounts))))))
 
-(define* (openssh-service #:key
-                          (pid-file "/var/run/sshd.pid")
-                          (port-number 22)
-                          (permit-root-login 'without-password)
-                          (allow-empty-passwords? #f)
-                          (password-authentication? #t)
-                          (pubkey-authentication? #t)
-                          (rsa-authentication? #t)
-                          (x11-forwarding? #f)
-                          (protocol-number 2))
-  (service openssh-service-type (openssh-configuration
-                                 (pid-file pid-file)
-                                 (port-number port-number)
-                                 (permit-root-login permit-root-login)
-                                 (allow-empty-passwords? allow-empty-passwords?)
-                                 (password-authentication? password-authentication?)
-                                 (pubkey-authentication? pubkey-authentication?)
-                                 (rsa-authentication? rsa-authentication?)
-                                 (x11-forwarding? x11-forwarding?)
-                                 (protocol-number protocol-number))))
-
 
 ;;;
 ;;; Dropbear.
diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm
new file mode 100644
index 0000000000..456476e69d
--- /dev/null
+++ b/gnu/tests/ssh.scm
@@ -0,0 +1,193 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests ssh)
+  #:use-module (gnu tests)
+  #:use-module (gnu system)
+  #:use-module (gnu system grub)
+  #:use-module (gnu system file-systems)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu system vm)
+  #:use-module (gnu services)
+  #:use-module (gnu services base)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu services networking)
+  #:use-module (gnu packages ssh)
+  #:use-module (guix gexp)
+  #:use-module (guix store)
+  #:use-module (guix monads)
+  #:export (%test-openssh
+            %test-dropbear))
+
+(define %base-os
+  (operating-system
+    (host-name "komputilo")
+    (timezone "Europe/Berlin")
+    (locale "en_US.UTF-8")
+
+    (bootloader (grub-configuration (device "/dev/sdX")))
+    (file-systems %base-file-systems)
+    (firmware '())
+    (users %base-user-accounts)
+    (services (cons (dhcp-client-service)
+                    %base-services))))
+
+(define (os-with-service service)
+  "Return a test operating system that runs SERVICE."
+  (operating-system
+    (inherit %base-os)
+    (services (cons service
+                    (operating-system-user-services %base-os)))))
+
+(define (run-ssh-test name ssh-service pid-file)
+  "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
+SSH-SERVICE must be configured to listen on port 22 and to allow for root and
+empty-password logins."
+  (mlet* %store-monad ((os ->   (marionette-operating-system
+                                 (os-with-service ssh-service)
+                                 #:imported-modules '((gnu services herd)
+                                                      (guix combinators))))
+                       (command (system-qemu-image/shared-store-script
+                                 os #:graphic? #f)))
+    (define test
+      (with-imported-modules '((gnu build marionette))
+        #~(begin
+            (eval-when (expand load eval)
+              ;; Prepare to use Guile-SSH.
+              (set! %load-path
+                (cons (string-append #$guile-ssh "/share/guile/site/"
+                                     (effective-version))
+                      %load-path)))
+
+            (use-modules (gnu build marionette)
+                         (srfi srfi-26)
+                         (srfi srfi-64)
+                         (ice-9 match)
+                         (ssh session)
+                         (ssh auth)
+                         (ssh channel))
+
+            (define marionette
+              ;; Enable TCP forwarding of the guest's port 22.
+              (make-marionette (list #$command "-net"
+                                     "user,hostfwd=tcp::2222-:22")))
+
+            (define (wait-for-file file)
+              ;; Wait until FILE exists in the guest; 'read' its content and
+              ;; return it.
+              (marionette-eval
+               `(let loop ((i 10))
+                  (cond ((file-exists? ,file)
+                         (call-with-input-file ,file read))
+                        ((> i 0)
+                         (sleep 1)
+                         (loop (- i 1)))
+                        (else
+                         (error "file didn't show up" ,file))))
+               marionette))
+
+            (mkdir #$output)
+            (chdir #$output)
+
+            (test-begin "ssh-daemon")
+
+            ;; Wait for sshd to be up and running.
+            (test-eq "service running"
+              'running!
+              (marionette-eval
+               '(begin
+                  (use-modules (gnu services herd))
+                  (start-service 'ssh-daemon)
+                  'running!)
+               marionette))
+
+            ;; Check sshd's PID file.
+            (test-equal "sshd PID"
+              (wait-for-file #$pid-file)
+              (marionette-eval
+               '(begin
+                  (use-modules (gnu services herd)
+                               (srfi srfi-1))
+
+                  (live-service-running
+                   (find (lambda (live)
+                           (memq 'ssh-daemon
+                                 (live-service-provision live)))
+                         (current-services))))
+               marionette))
+
+            ;; Connect to the guest over SSH.  We should be able to connect as
+            ;; "root" with an empty password.  Make sure we can run a shell
+            ;; command there.
+            (test-equal "connect"
+              'hello
+              (let* ((session (make-session #:user "root"
+                                            #:port 2222 #:host "localhost"
+                                            #:log-verbosity 'protocol)))
+                (match (connect! session)
+                  ('ok
+                   ;; Try the simple authentication methods.  Dropbear
+                   ;; requires 'none' when there are no passwords, whereas
+                   ;; OpenSSH accepts 'password' with an empty password.
+                   (let loop ((methods (list (cut userauth-password! <> "")
+                                             (cut userauth-none! <>))))
+                     (match methods
+                       (()
+                        (error "all the authentication methods failed"))
+                       ((auth rest ...)
+                        (match (pk 'auth (auth session))
+                          ('success
+                           ;; FIXME: 'get-server-public-key' segfaults.
+                           ;; (get-server-public-key session)
+                           (let ((channel (make-channel session)))
+                             (channel-open-session channel)
+                             (channel-request-exec channel
+                                                   "echo hello > /root/witness")
+                             (and (zero? (channel-get-exit-status channel))
+                                  (wait-for-file "/root/witness"))))
+                          ('denied
+                           (loop rest))))))))))
+
+            (test-end)
+            (exit (= (test-runner-fail-count (test-runner-current)) 0)))))
+
+    (gexp->derivation name test)))
+
+(define %test-openssh
+  (system-test
+   (name "openssh")
+   (description "Connect to a running OpenSSH daemon.")
+   (value (run-ssh-test name
+                        ;; Allow root logins with an empty password to
+                        ;; simplify testing.
+                        (service openssh-service-type
+                                 (openssh-configuration
+                                  (permit-root-login #t)
+                                  (allow-empty-passwords? #t)))
+                        "/var/run/sshd.pid"))))
+
+(define %test-dropbear
+  (system-test
+   (name "dropbear")
+   (description "Connect to a running Dropbear SSH daemon.")
+   (value (run-ssh-test name
+                        (service dropbear-service-type
+                                 (dropbear-configuration
+                                  (root-login? #t)
+                                  (allow-empty-passwords? #t)))
+                        "/var/run/dropbear.pid"))))