summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/base.scm38
-rw-r--r--gnu/packages/bootstrap.scm2
-rw-r--r--gnu/packages/check.scm8
-rw-r--r--gnu/packages/cmake.scm5
-rw-r--r--gnu/packages/commencement.scm73
-rw-r--r--gnu/packages/compression.scm6
-rw-r--r--gnu/packages/databases.scm4
-rw-r--r--gnu/packages/ed.scm16
-rw-r--r--gnu/packages/emacs.scm8
-rw-r--r--gnu/packages/fonts.scm4
-rw-r--r--gnu/packages/fontutils.scm8
-rw-r--r--gnu/packages/gcc.scm11
-rw-r--r--gnu/packages/gnupg.scm5
-rw-r--r--gnu/packages/image.scm4
-rw-r--r--gnu/packages/ld-wrapper.in6
-rw-r--r--gnu/packages/linux.scm38
-rw-r--r--gnu/packages/multiprecision.scm4
-rw-r--r--gnu/packages/patches/expat-CVE-2015-1283.patch89
-rw-r--r--gnu/packages/patches/gcc-libiberty-printf-decl.patch28
-rw-r--r--gnu/packages/patches/glibc-CVE-2015-7547.patch559
-rw-r--r--gnu/packages/patches/glibc-locale-incompatibility.patch23
-rw-r--r--gnu/packages/pcre.scm6
-rw-r--r--gnu/packages/perl.scm39
-rw-r--r--gnu/packages/python.scm82
-rw-r--r--gnu/packages/texinfo.scm20
-rw-r--r--gnu/packages/tls.scm8
-rw-r--r--gnu/packages/xdisorg.scm4
-rw-r--r--gnu/packages/xml.scm9
-rw-r--r--gnu/system/shadow.scm23
30 files changed, 253 insertions, 881 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 702c9a602e..8d945e835d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -463,7 +463,6 @@ dist_patch_DATA =						\
   gnu/packages/patches/emacs-source-date-epoch.patch		\
   gnu/packages/patches/eudev-rules-directory.patch		\
   gnu/packages/patches/evilwm-lost-focus-bug.patch		\
-  gnu/packages/patches/expat-CVE-2015-1283.patch		\
   gnu/packages/patches/fastcap-mulGlobal.patch			\
   gnu/packages/patches/fastcap-mulSetup.patch			\
   gnu/packages/patches/fasthenry-spAllocate.patch		\
@@ -484,6 +483,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/gawk-shell.patch				\
   gnu/packages/patches/gcc-arm-link-spec-fix.patch		\
   gnu/packages/patches/gcc-cross-environment-variables.patch	\
+  gnu/packages/patches/gcc-libiberty-printf-decl.patch		\
   gnu/packages/patches/gcc-libvtv-runpath.patch			\
   gnu/packages/patches/gcc-5.0-libvtv-runpath.patch		\
   gnu/packages/patches/geoclue-config.patch			\
@@ -495,12 +495,10 @@ dist_patch_DATA =						\
   gnu/packages/patches/glib-tests-prlimit.patch			\
   gnu/packages/patches/glib-tests-timer.patch			\
   gnu/packages/patches/glib-tests-gapplication.patch		\
-  gnu/packages/patches/glibc-CVE-2015-7547.patch		\
   gnu/packages/patches/glibc-bootstrap-system.patch		\
   gnu/packages/patches/glibc-hurd-extern-inline.patch		\
   gnu/packages/patches/glibc-ldd-x86_64.patch			\
   gnu/packages/patches/glibc-locales.patch			\
-  gnu/packages/patches/glibc-locale-incompatibility.patch	\
   gnu/packages/patches/glibc-o-largefile.patch			\
   gnu/packages/patches/glibc-versioned-locpath.patch		\
   gnu/packages/patches/gmp-arm-asm-nothumb.patch		\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 1c4ebbf64f..fce193ceec 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -74,14 +74,14 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "2.22")
+   (version "2.25")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "1srn321x7whlhs5ks36zlcrrmj4iahll8fxwsh1vbz3v04px54fa"))
+              "0c38b67cnwchwzv4wq2gpz6smkhdxrac2hhssv8f0l04qnx867p2"))
             (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
@@ -242,23 +242,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.24")
+   (version "8.25")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0w11jw3fb5sslf0f72kxy7llxgk1ia3a6bcw0c9kmvxrlj355mx2"))
-            (patches
-             (list (origin
-                     (method url-fetch)
-                     (uri "http://git.savannah.gnu.org/cgit/coreutils.git/\
-patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0")
-                     (sha256
-                      (base32
-                       "1dnlszhc8lihhg801i9sz896mlrgfsjfcz62636prb27k5hmixqz"))
-                     (file-name "coreutils-tail-inotify-race.patch"))))))
+              "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -465,14 +456,14 @@ store.")
 (define-public glibc
   (package
    (name "glibc")
-   (version "2.22")
+   (version "2.23")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/glibc/glibc-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
+              "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
             (snippet
              ;; Disable 'ldconfig' and /etc/ld.so.cache.  The latter is
              ;; required on LFS distros to avoid loading the distro's libc.so
@@ -481,12 +472,9 @@ store.")
                 (("use_ldconfig=yes")
                  "use_ldconfig=no")))
             (modules '((guix build utils)))
-            (patches
-             (search-patches "glibc-ldd-x86_64.patch"
-                             "glibc-locale-incompatibility.patch"
-                             "glibc-versioned-locpath.patch"
-                             "glibc-o-largefile.patch"
-                             "glibc-CVE-2015-7547.patch"))))
+            (patches (search-patches "glibc-ldd-x86_64.patch"
+                                     "glibc-versioned-locpath.patch"
+                                     "glibc-o-largefile.patch"))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
@@ -503,7 +491,7 @@ store.")
       #:parallel-build? #f
 
       ;; The libraries have an empty RUNPATH, but some, such as the versioned
-      ;; libraries (libdl-2.22.so, etc.) have ld.so marked as NEEDED.  Since
+      ;; libraries (libdl-2.23.so, etc.) have ld.so marked as NEEDED.  Since
       ;; these libraries are always going to be found anyway, just skip
       ;; RUNPATH checks.
       #:validate-runpath? #f
@@ -545,7 +533,7 @@ store.")
                            "/bin/bash")
 
             ;; XXX: Work around "undefined reference to `__stack_chk_guard'".
-            "libc_cv_ssp=no")
+            "libc_cv_ssp=no" "libc_cv_ssp_strong=no")
 
       #:tests? #f                                 ; XXX
       #:phases (modify-phases %standard-phases
@@ -559,10 +547,6 @@ store.")
                            ;; but cross-base uses it as a native input.
                            (bash (or (assoc-ref inputs "static-bash")
                                      (assoc-ref native-inputs "static-bash"))))
-                      ;; Use `pwd', not `/bin/pwd'.
-                      (substitute* "configure"
-                        (("/bin/pwd") "pwd"))
-
                       ;; Install the rpc data base file under `$out/etc/rpc'.
                       ;; FIXME: Use installFlags = [ "sysconfdir=$(out)/etc" ];
                       (substitute* "sunrpc/Makefile"
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index a3cd18519c..2aa4711ba8 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -61,7 +61,7 @@
   (define (boot fetch)
     (lambda* (url hash-algo hash
               #:optional name #:key system)
-      (fetch url hash-algo hash
+      (fetch url hash-algo hash name
              #:guile %bootstrap-guile
              #:system system)))
 
diff --git a/gnu/packages/check.scm b/gnu/packages/check.scm
index 9eef7a9a71..2b2dce9e9e 100644
--- a/gnu/packages/check.scm
+++ b/gnu/packages/check.scm
@@ -35,15 +35,15 @@
 (define-public check
   (package
     (name "check")
-    (version "0.9.14")
+    (version "0.10.0")
     (source
      (origin
       (method url-fetch)
-      (uri (string-append "mirror://sourceforge/check/check/"
-                          version "/check-" version ".tar.gz"))
+      (uri (string-append "https://github.com/libcheck/check/files/71408/"
+                          "/check-" version ".tar.gz"))
       (sha256
        (base32
-        "02l4g79d81s07hzywcv1knwj5dyrwjiq2pgxaz7kidxi8m364wn2"))))
+        "0lhhywf5nxl3dd0hdakra3aasl590756c9kmvyifb3vgm9k0gxgm"))))
     (build-system gnu-build-system)
     (home-page "https://libcheck.github.io/check/")
     (synopsis "Unit test framework for C")
diff --git a/gnu/packages/cmake.scm b/gnu/packages/cmake.scm
index 1cb1e06993..cac059ec37 100644
--- a/gnu/packages/cmake.scm
+++ b/gnu/packages/cmake.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -36,7 +37,7 @@
 (define-public cmake
   (package
     (name "cmake")
-    (version "3.3.2")
+    (version "3.5.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://www.cmake.org/files/v"
@@ -44,7 +45,7 @@
                                  "/cmake-" version ".tar.gz"))
              (sha256
               (base32
-               "08pwy9ip9cgwgynhn5vrjw8drw29gijy1rmziq22n65zds6ifnp7"))
+               "1yly38mpk2s08b4rglp9xcw5pxalk0whp9hrcg7j8qpxlkc3mj4j"))
              (patches (search-patches "cmake-fix-tests.patch"))))
     (build-system gnu-build-system)
     (arguments
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 6dfe5c9cb7..463f42537c 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -170,6 +170,26 @@
                     ,cf)))))
      (inputs %boot0-inputs))))
 
+(define libstdc++-boot0
+  ;; GCC's libcc1 is always built as a shared library (the top-level
+  ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer
+  ;; to libstdc++.so.  We cannot build libstdc++-5.3 because it relies on
+  ;; C++14 features missing in our bootstrap compiler.
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9))))
+    (package
+      (inherit lib)
+      (name "libstdc++-boot0")
+      (arguments
+       `(#:guile ,%bootstrap-guile
+         #:implicit-inputs? #f
+
+         ;; XXX: libstdc++.so NEEDs ld.so for some reason.
+         #:validate-runpath? #f
+
+         ,@(package-arguments lib)))
+      (inputs %boot0-inputs)
+      (native-inputs '()))))
+
 (define gcc-boot0
   (package-with-bootstrap-guile
    (package (inherit gcc)
@@ -255,14 +275,13 @@
                ("mpc-source" ,(package-source mpc))
                ("binutils-cross" ,binutils-boot0)
 
+               ;; The libstdc++ that libcc1 links against.
+               ("libstdc++" ,libstdc++-boot0)
+
                ;; Call it differently so that the builder can check whether
                ;; the "libc" input is #f.
                ("libc-native" ,@(assoc-ref %boot0-inputs "libc"))
-               ,@(alist-delete "libc" %boot0-inputs)))
-
-     ;; No need for Texinfo at this stage.
-     (native-inputs (alist-delete "texinfo"
-                                  (package-native-inputs gcc))))))
+               ,@(alist-delete "libc" %boot0-inputs))))))
 
 (define perl-boot0
   (let ((perl (package
@@ -270,21 +289,24 @@
                 (name "perl-boot0")
                 (replacement #f)
                 (arguments
-                 (substitute-keyword-arguments (package-arguments perl)
-                   ((#:phases phases)
-                    `(modify-phases ,phases
-                       ;; Pthread support is missing in the bootstrap compiler
-                       ;; (broken spec file), so disable it.
-                       (add-before 'configure 'disable-pthreads
-                         (lambda _
-                           (substitute* "Configure"
-                             (("^libswanted=(.*)pthread" _ before)
-                              (string-append "libswanted=" before))))))))))))
-   (package-with-bootstrap-guile
-    (package-with-explicit-inputs perl
-                                  %boot0-inputs
-                                  (current-source-location)
-                                  #:guile %bootstrap-guile))))
+                 ;; At the very least, this must not depend on GCC & co.
+                 (let ((args `(#:disallowed-references
+                               ,(list %bootstrap-binutils))))
+                   (substitute-keyword-arguments (package-arguments perl)
+                     ((#:phases phases)
+                      `(modify-phases ,phases
+                         ;; Pthread support is missing in the bootstrap compiler
+                         ;; (broken spec file), so disable it.
+                         (add-before 'configure 'disable-pthreads
+                           (lambda _
+                             (substitute* "Configure"
+                               (("^libswanted=(.*)pthread" _ before)
+                                (string-append "libswanted=" before)))))))))))))
+    (package-with-bootstrap-guile
+     (package-with-explicit-inputs perl
+                                   %boot0-inputs
+                                   (current-source-location)
+                                   #:guile %bootstrap-guile))))
 
 (define (linux-libre-headers-boot0)
   "Return Linux-Libre header files for the bootstrap environment."
@@ -306,7 +328,12 @@
   ;; Also, use %BOOT0-INPUTS to avoid building Perl once more.
   (let ((texinfo (package (inherit texinfo)
                    (native-inputs '())
-                   (inputs `(("perl" ,perl-boot0))))))
+                   (inputs `(("perl" ,perl-boot0)))
+
+                   ;; Some of Texinfo 6.1's tests would fail with "Couldn't
+                   ;; set UTF-8 character type in locale" but we don't have a
+                   ;; UTF-8 locale at this stage, so skip them.
+                   (arguments '(#:tests? #f)))))
     (package-with-bootstrap-guile
      (package-with-explicit-inputs texinfo %boot0-inputs
                                    (current-source-location)
@@ -874,9 +901,9 @@ and binaries, plus debugging symbols in the 'debug' output), and Binutils.")
   (gcc-toolchain gcc-4.8))
 
 (define-public gcc-toolchain-4.9
-  (gcc-toolchain gcc-final))
+  (gcc-toolchain gcc-4.9))
 
 (define-public gcc-toolchain-5
-  (gcc-toolchain gcc-5))
+  (gcc-toolchain gcc-final))
 
 ;;; commencement.scm ends here
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 8043422f8b..e5cacf5ca7 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -131,14 +131,14 @@ adding and extracting files to/from a tar archive.")
 (define-public gzip
   (package
    (name "gzip")
-   (version "1.6")
+   (version "1.8")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/gzip/gzip-"
-                                version ".tar.gz"))
+                                version ".tar.xz"))
             (sha256
              (base32
-              "0zlgdm4v3dndrbiz7b67mbbj25dpwqbmbzjiycssvrfrcfvq7swp"))))
+              "1lxv3p4iyx7833mlihkn5wfwmz4cys5nybwpz3dfawag8kn6f5zz"))))
    (build-system gnu-build-system)
    (synopsis "General file (de)compression (using lzw)")
    (arguments
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 9aee7b796a..88a784d293 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -350,7 +350,7 @@ types are supported, as is encryption.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.10.0")
+   (version "3.11.1")
    (source (origin
             (method url-fetch)
             ;; TODO: Download from sqlite.org once this bug :
@@ -381,7 +381,7 @@ types are supported, as is encryption.")
                    ))
             (sha256
              (base32
-              "0hhhv6si0pyf5i8bv7a71953m0b4gk6s3j2h09caf7vif0njkk23"))))
+              "0xs3gl3kbxqfx2ahrymgcf2n8c8sy37724jr05pncbhw4z8g2gsk"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
diff --git a/gnu/packages/ed.scm b/gnu/packages/ed.scm
index 7cd1fcd71d..3668aac19a 100644
--- a/gnu/packages/ed.scm
+++ b/gnu/packages/ed.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -27,23 +28,24 @@
 (define-public ed
   (package
     (name "ed")
-    (version "1.12")
+    (version "1.13")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/ed/ed-"
                                  version ".tar.lz"))
              (sha256
               (base32
-               "0bw0187a311rci58vznvncsj6pfp8bhs5phrlrqn03sa2i1mfrfj"))))
+               "1ly7i1iw02vbcd0zrx084z577ngxnarffmkm45dg6vndad5carnd"))))
     (build-system gnu-build-system)
     (native-inputs `(("lzip" ,lzip)))
     (arguments
      '(#:configure-flags '("CC=gcc")
-       #:phases (alist-cons-before 'patch-source-shebangs 'patch-test-suite
-                                   (lambda _
-                                     (substitute* "testsuite/check.sh"
-                                       (("/bin/sh") (which "sh"))))
-                                   %standard-phases)))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'patch-source-shebangs 'patch-test-suite
+                     (lambda _
+                       (substitute* "testsuite/check.sh"
+                         (("/bin/sh") (which "sh"))))))))
     (home-page "http://www.gnu.org/software/ed/")
     (synopsis "Line-oriented text editor")
     (description
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index 11010b2a47..4ffc3c1b7f 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -89,14 +89,6 @@
              (substitute* (find-files "." "^Makefile\\.in$")
                (("/bin/pwd")
                 "pwd"))))
-         (add-after 'install 'remove-info.info
-           (lambda* (#:key outputs #:allow-other-keys)
-             ;; Remove 'info.info', which is provided by Texinfo <= 6.0.
-             ;; TODO: Remove this phase when we switch to Texinfo 6.1.
-             (let ((out (assoc-ref outputs "out")))
-               (delete-file
-                (string-append out "/share/info/info.info.gz"))
-               #t)))
          (add-after 'install 'install-site-start
            ;; Copy guix-emacs.el from Guix and add it to site-start.el.  This
            ;; way, Emacs packages provided by Guix and installed in
diff --git a/gnu/packages/fonts.scm b/gnu/packages/fonts.scm
index 893db56ee5..deb11841da 100644
--- a/gnu/packages/fonts.scm
+++ b/gnu/packages/fonts.scm
@@ -124,7 +124,7 @@ TrueType (TTF) files.")
 (define-public font-dejavu
   (package
     (name "font-dejavu")
-    (version "2.34")
+    (version "2.35")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/dejavu/"
@@ -132,7 +132,7 @@ TrueType (TTF) files.")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0pgb0a3ngamidacmrvasg51ck3gp8gn93w6sf1s8snwzx4x2r9yh"))))
+               "122d35y93r820zhi6d7m9xhakdib10z51v63lnlg67qhhrardmzn"))))
     (build-system trivial-build-system)
     (arguments
      `(#:modules ((guix build utils))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 5f6ff15935..0ce7e6039d 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -247,10 +247,10 @@ fonts to/from the WOFF2 format.")
                            (assoc-ref %build-inputs "gs-fonts")
                            "/share/fonts")
 
-            ;; register fonts from user profile
-            ;; TODO: Add /run/current-system/profile/share/fonts and remove
-            ;; the skeleton that works around it from 'default-skeletons'.
-            "--with-add-fonts=~/.guix-profile/share/fonts"
+            ;; Register fonts from user and system profiles.
+            (string-append "--with-add-fonts="
+                           "~/.guix-profile/share/fonts,"
+                           "/run/current-system/profile/share/fonts")
 
             ;; python is not actually needed
             "PYTHON=false")
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index a2b8126872..04d3f93369 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
@@ -153,7 +153,7 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                 ("libelf" ,libelf)
                 ("zlib" ,zlib)))
 
-      ;; GCC is one of the few packages that doesn't ship .info files.
+      ;; GCC < 5 is one of the few packages that doesn't ship .info files.
       (native-inputs `(("texinfo" ,texinfo)))
 
       (arguments
@@ -352,11 +352,14 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"))
-              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"))))))
+              (patches (search-patches "gcc-5.0-libvtv-runpath.patch"
+                                       "gcc-libiberty-printf-decl.patch"))))
+    ;; GCC 5 ships with .info files, so no need for Texinfo.
+    (native-inputs '())))
 
 ;; Note: When changing the default gcc version, update
 ;;       the gcc-toolchain-* definitions accordingly.
-(define-public gcc gcc-4.9)
+(define-public gcc gcc-5)
 
 (define-public (make-libstdc++ gcc)
   "Return a libstdc++ package based on GCC.  The primary use case is when
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index d447007260..3f3964e74b 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
+;;; Copyright © 2016 Nils Gillmann <ng0@libertad.pw>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -72,14 +73,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.6.5")
+    (version "1.7.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl"))))
+               "14pspxwrqcgfklw3dgmywbxqwdzcym7fznfrqh9rk4vl8jkpxrmh"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index db64ea0c9b..669ad5b938 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -392,14 +392,14 @@ error-resilience, a Java-viewer for j2k-images, ...")
 (define-public giflib
   (package
     (name "giflib")
-    (version "5.1.1")
+    (version "5.1.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/giflib/giflib-"
                                   (first (string-split version #\.))
                                   ".x/giflib-" version ".tar.bz2"))
               (sha256
-               (base32 "1z1gzq16sdya8xnl5qjc07634kkwj5m0n3bvvj4v9j11xfn1841r"))))
+               (base32 "0z1adsza46q84chkxwr6x8ph11k117k8nywkzwar6bxhqf2a1h3n"))))
     (build-system gnu-build-system)
     (outputs '("bin"                    ; utility programs
                "out"))                  ; library
diff --git a/gnu/packages/ld-wrapper.in b/gnu/packages/ld-wrapper.in
index c92ed1dcc7..ebfd8332c4 100644
--- a/gnu/packages/ld-wrapper.in
+++ b/gnu/packages/ld-wrapper.in
@@ -6,12 +6,16 @@
 # the shebang line in Linux.
 # Use `load-compiled' because `load' (and `-l') doesn't otherwise load our
 # .go file (see <http://bugs.gnu.org/12519>).
+# Unset 'GUILE_LOAD_COMPILED_PATH' to make sure we do not stumble upon
+# incompatible .go files.  See
+# <https://lists.gnu.org/archive/html/guile-devel/2016-03/msg00000.html>.
 
+unset GUILE_LOAD_COMPILED_PATH
 main="(@ (gnu build-support ld-wrapper) ld-wrapper)"
 exec @GUILE@ -c "(load-compiled \"@SELF@.go\") (apply $main (cdr (command-line)))" "$@"
 !#
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index a26e641342..5f4b041694 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -102,7 +102,7 @@
          version "-gnu.tar.xz")))
 
 (define-public linux-libre-headers
-  (let* ((version "3.14.37")
+  (let* ((version "4.1.18")
          (build-phase
           (lambda (arch)
             `(lambda _
@@ -140,7 +140,7 @@
              (uri (linux-libre-urls version))
              (sha256
               (base32
-               "1blxr2bsvfqi9khj4cpspv434bmx252zak2wsbi2mgl60zh77gza"))))
+               "1bddh2rg645lavhjkk9z75vflba5y0g73z2fjwgbfrj5jb44x9i7"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)))
     (arguments
@@ -465,12 +465,11 @@ providing the system administrator with some help in common tasks.")
                     (("build_kill=yes") "build_kill=no"))
                   #t))))
     (build-system gnu-build-system)
+    (outputs '("out"
+               "static"))      ; >2 MiB of static .a libraries
     (arguments
      `(#:configure-flags (list "--disable-use-tty-group"
 
-                               ;; Do not build .a files to save 2 MiB.
-                               "--disable-static"
-
                                ;; Install completions where our
                                ;; bash-completion package expects them.
                                (string-append "--with-bashcompletiondir="
@@ -495,6 +494,19 @@ providing the system administrator with some help in common tasks.")
                        (substitute* "tests/ts/misc/mcookie"
                          (("/etc/services")
                           (string-append net "/etc/services")))
+                       #t)))
+                  (add-after
+                   'install 'move-static-libraries
+                   (lambda* (#:key outputs #:allow-other-keys)
+                     (let ((out    (assoc-ref outputs "out"))
+                           (static (assoc-ref outputs "static")))
+                       (mkdir-p (string-append static "/lib"))
+                       (with-directory-excursion out
+                         (for-each (lambda (file)
+                                     (rename-file file
+                                                  (string-append static "/"
+                                                                 file)))
+                                   (find-files "lib" "\\.a$")))
                        #t))))))
     (inputs `(("zlib" ,zlib)
               ("ncurses" ,ncurses)))
@@ -2516,12 +2528,26 @@ and copy/paste text in the console and in xterm.")
                (base32
                 "1znf2zhb56zbmdjk3lq107678xwsqwc5gczspypmc5i31qnppy7f"))))
     (build-system gnu-build-system)
+    (outputs '("out"
+               "static"))      ; static versions of binaries in "out" (~16MiB!)
     (arguments
-     '(#:test-target "test"
+     '(#:phases (modify-phases %standard-phases
+                 (add-after 'build 'build-static
+                   (lambda _ (zero? (system* "make" "static"))))
+                 (add-after 'install 'install-static
+                   (let ((staticbin (string-append (assoc-ref %outputs "static")
+                                                  "/bin")))
+                     (lambda _
+                       (zero? (system* "make"
+                                       (string-append "bindir=" staticbin)
+                                       "install-static"))))))
+       #:test-target "test"
        #:parallel-tests? #f)) ; tests fail when run in parallel
     (inputs `(("e2fsprogs" ,e2fsprogs)
               ("libblkid" ,util-linux)
+              ("libblkid:static" ,util-linux "static")
               ("libuuid" ,util-linux)
+              ("libuuid:static" ,util-linux "static")
               ("zlib" ,zlib)
               ("lzo" ,lzo)))
     (native-inputs `(("pkg-config" ,pkg-config)
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index 99243235ad..46540be5c4 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -80,13 +80,13 @@ cryptography and computational algebra.")
 (define-public mpfr
   (package
    (name "mpfr")
-   (version "3.1.3")
+   (version "3.1.4")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/mpfr/mpfr-" version
                                 ".tar.xz"))
             (sha256 (base32
-                     "05jaa5z78lvrayld09nyr0v27c1m5dm9l7kr85v2bj4jv65s0db8"))))
+                     "1x8pcnpn1vxfzfsr0js07rwhwyq27fmdzcfjpzi5773ldnqi653n"))))
    (build-system gnu-build-system)
    (outputs '("out" "debug"))
    (propagated-inputs `(("gmp" ,gmp)))            ; <mpfr.h> refers to <gmp.h>
diff --git a/gnu/packages/patches/expat-CVE-2015-1283.patch b/gnu/packages/patches/expat-CVE-2015-1283.patch
deleted file mode 100644
index f9065bea16..0000000000
--- a/gnu/packages/patches/expat-CVE-2015-1283.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-Copied from Debian.
-
-Description: fix multiple integer overflows in the XML_GetBuffer function
- Multiple integer overflows in the XML_GetBuffer function in Expat through
- 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products,
- allow remote attackers to cause a denial of service (heap-based buffer
- overflow) or possibly have unspecified other impact via crafted XML data,
- a related issue to CVE-2015-2716.
-Origin: Mozilla, https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
-Author: Eric Rahm <erahm@mozilla.com>
-Forwarded: not-needed
-Last-Update: 2015-07-24
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1673,29 +1673,40 @@ XML_ParseBuffer(XML_Parser parser, int l
-   XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
-   positionPtr = bufferPtr;
-   return result;
- }
- 
- void * XMLCALL
- XML_GetBuffer(XML_Parser parser, int len)
- {
-+/* BEGIN MOZILLA CHANGE (sanity check len) */
-+  if (len < 0) {
-+    errorCode = XML_ERROR_NO_MEMORY;
-+    return NULL;
-+  }
-+/* END MOZILLA CHANGE */
-   switch (ps_parsing) {
-   case XML_SUSPENDED:
-     errorCode = XML_ERROR_SUSPENDED;
-     return NULL;
-   case XML_FINISHED:
-     errorCode = XML_ERROR_FINISHED;
-     return NULL;
-   default: ;
-   }
- 
-   if (len > bufferLim - bufferEnd) {
--    /* FIXME avoid integer overflow */
-     int neededSize = len + (int)(bufferEnd - bufferPtr);
-+/* BEGIN MOZILLA CHANGE (sanity check neededSize) */
-+    if (neededSize < 0) {
-+      errorCode = XML_ERROR_NO_MEMORY;
-+      return NULL;
-+    }
-+/* END MOZILLA CHANGE */
- #ifdef XML_CONTEXT_BYTES
-     int keep = (int)(bufferPtr - buffer);
- 
-     if (keep > XML_CONTEXT_BYTES)
-       keep = XML_CONTEXT_BYTES;
-     neededSize += keep;
- #endif  /* defined XML_CONTEXT_BYTES */
-     if (neededSize  <= bufferLim - buffer) {
-@@ -1714,17 +1725,25 @@ XML_GetBuffer(XML_Parser parser, int len
-     }
-     else {
-       char *newBuf;
-       int bufferSize = (int)(bufferLim - bufferPtr);
-       if (bufferSize == 0)
-         bufferSize = INIT_BUFFER_SIZE;
-       do {
-         bufferSize *= 2;
--      } while (bufferSize < neededSize);
-+/* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
-+      } while (bufferSize < neededSize && bufferSize > 0);
-+/* END MOZILLA CHANGE */
-+/* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
-+      if (bufferSize <= 0) {
-+        errorCode = XML_ERROR_NO_MEMORY;
-+        return NULL;
-+      }
-+/* END MOZILLA CHANGE */
-       newBuf = (char *)MALLOC(bufferSize);
-       if (newBuf == 0) {
-         errorCode = XML_ERROR_NO_MEMORY;
-         return NULL;
-       }
-       bufferLim = newBuf + bufferSize;
- #ifdef XML_CONTEXT_BYTES
-       if (bufferPtr) {
-
-
-
-
diff --git a/gnu/packages/patches/gcc-libiberty-printf-decl.patch b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
new file mode 100644
index 0000000000..a612c9e00e
--- /dev/null
+++ b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
@@ -0,0 +1,28 @@
+This patch makes the exeception specifier of libiberty's 'asprintf'
+and 'vasprintf' declarations match those of glibc to work around the
+problem described at <https://gcc.gnu.org/ml/gcc-help/2016-04/msg00039.html>.
+
+The problem in part stems from the fact that libiberty is configured
+without _GNU_SOURCE (thus, it sets HAVE_DECL_ASPRINTF to 0), whereas libcc1
+is configured and built with _GNU_SOURCE, hence the conflicting declarations.
+
+--- gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:46.262709079 +0200
++++ gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:37.110635439 +0200
+@@ -625,7 +625,7 @@ extern int pwait (int, int *, int);
+ /* Like sprintf but provides a pointer to malloc'd storage, which must
+    be freed by the caller.  */
+ 
+-extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2;
++extern int asprintf (char **, const char *, ...) __THROWNL ATTRIBUTE_PRINTF_2;
+ #endif
+ 
+ /* Like asprintf but allocates memory without fail. This works like
+@@ -637,7 +637,7 @@ extern char *xasprintf (const char *, ..
+ /* Like vsprintf but provides a pointer to malloc'd storage, which
+    must be freed by the caller.  */
+ 
+-extern int vasprintf (char **, const char *, va_list) ATTRIBUTE_PRINTF(2,0);
++extern int vasprintf (char **, const char *, va_list) __THROWNL ATTRIBUTE_PRINTF(2,0);
+ #endif
+ 
+ /* Like vasprintf but allocates memory without fail. This works like
diff --git a/gnu/packages/patches/glibc-CVE-2015-7547.patch b/gnu/packages/patches/glibc-CVE-2015-7547.patch
deleted file mode 100644
index 9a0909af74..0000000000
--- a/gnu/packages/patches/glibc-CVE-2015-7547.patch
+++ /dev/null
@@ -1,559 +0,0 @@
-Copied from Fedora:
-http://pkgs.fedoraproject.org/cgit/rpms/glibc.git/tree/glibc-CVE-2015-7547.patch?h=f23&id=9f1734eb6ce3257b788d6e9203572e8204c6c584
-
-Adapted to apply cleanly to glibc-2.22.
-
-Index: b/resolv/nss_dns/dns-host.c
-===================================================================
---- a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an
-   int h_namelen = 0;
- 
-   if (ancount == 0)
--    return NSS_STATUS_NOTFOUND;
-+    {
-+      *h_errnop = HOST_NOT_FOUND;
-+      return NSS_STATUS_NOTFOUND;
-+    }
- 
-   while (ancount-- > 0 && cp < end_of_message && had_error == 0)
-     {
-@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an
-   /* Special case here: if the resolver sent a result but it only
-      contains a CNAME while we are looking for a T_A or T_AAAA record,
-      we fail with NOTFOUND instead of TRYAGAIN.  */
--  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-+  if (canon != NULL)
-+    {
-+      *h_errnop = HOST_NOT_FOUND;
-+      return NSS_STATUS_NOTFOUND;
-+    }
-+
-+  *h_errnop = NETDB_INTERNAL;
-+  return NSS_STATUS_TRYAGAIN;
- }
- 
- 
-@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1,
- 
-   enum nss_status status = NSS_STATUS_NOTFOUND;
- 
-+  /* Combining the NSS status of two distinct queries requires some
-+     compromise and attention to symmetry (A or AAAA queries can be
-+     returned in any order).  What follows is a breakdown of how this
-+     code is expected to work and why. We discuss only SUCCESS,
-+     TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
-+     that apply (though RETURN and MERGE exist).  We make a distinction
-+     between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
-+     A recoverable TRYAGAIN is almost always due to buffer size issues
-+     and returns ERANGE in errno and the caller is expected to retry
-+     with a larger buffer.
-+
-+     Lastly, you may be tempted to make significant changes to the
-+     conditions in this code to bring about symmetry between responses.
-+     Please don't change anything without due consideration for
-+     expected application behaviour.  Some of the synthesized responses
-+     aren't very well thought out and sometimes appear to imply that
-+     IPv4 responses are always answer 1, and IPv6 responses are always
-+     answer 2, but that's not true (see the implemetnation of send_dg
-+     and send_vc to see response can arrive in any order, particlarly
-+     for UDP). However, we expect it holds roughly enough of the time
-+     that this code works, but certainly needs to be fixed to make this
-+     a more robust implementation.
-+
-+     ----------------------------------------------
-+     | Answer 1 Status /   | Synthesized | Reason |
-+     | Answer 2 Status     | Status      |        |
-+     |--------------------------------------------|
-+     | SUCCESS/SUCCESS     | SUCCESS     | [1]    |
-+     | SUCCESS/TRYAGAIN    | TRYAGAIN    | [5]    |
-+     | SUCCESS/TRYAGAIN'   | SUCCESS     | [1]    |
-+     | SUCCESS/NOTFOUND    | SUCCESS     | [1]    |
-+     | SUCCESS/UNAVAIL     | SUCCESS     | [1]    |
-+     | TRYAGAIN/SUCCESS    | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/TRYAGAIN   | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/TRYAGAIN'  | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/NOTFOUND   | TRYAGAIN    | [2]    |
-+     | TRYAGAIN/UNAVAIL    | TRYAGAIN    | [2]    |
-+     | TRYAGAIN'/SUCCESS   | SUCCESS     | [3]    |
-+     | TRYAGAIN'/TRYAGAIN  | TRYAGAIN    | [3]    |
-+     | TRYAGAIN'/TRYAGAIN' | TRYAGAIN'   | [3]    |
-+     | TRYAGAIN'/NOTFOUND  | TRYAGAIN'   | [3]    |
-+     | TRYAGAIN'/UNAVAIL   | UNAVAIL     | [3]    |
-+     | NOTFOUND/SUCCESS    | SUCCESS     | [3]    |
-+     | NOTFOUND/TRYAGAIN   | TRYAGAIN    | [3]    |
-+     | NOTFOUND/TRYAGAIN'  | TRYAGAIN'   | [3]    |
-+     | NOTFOUND/NOTFOUND   | NOTFOUND    | [3]    |
-+     | NOTFOUND/UNAVAIL    | UNAVAIL     | [3]    |
-+     | UNAVAIL/SUCCESS     | UNAVAIL     | [4]    |
-+     | UNAVAIL/TRYAGAIN    | UNAVAIL     | [4]    |
-+     | UNAVAIL/TRYAGAIN'   | UNAVAIL     | [4]    |
-+     | UNAVAIL/NOTFOUND    | UNAVAIL     | [4]    |
-+     | UNAVAIL/UNAVAIL     | UNAVAIL     | [4]    |
-+     ----------------------------------------------
-+
-+     [1] If the first response is a success we return success.
-+         This ignores the state of the second answer and in fact
-+         incorrectly sets errno and h_errno to that of the second
-+	 answer.  However because the response is a success we ignore
-+	 *errnop and *h_errnop (though that means you touched errno on
-+         success).  We are being conservative here and returning the
-+         likely IPv4 response in the first answer as a success.
-+
-+     [2] If the first response is a recoverable TRYAGAIN we return
-+	 that instead of looking at the second response.  The
-+	 expectation here is that we have failed to get an IPv4 response
-+	 and should retry both queries.
-+
-+     [3] If the first response was not a SUCCESS and the second
-+	 response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
-+	 or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
-+	 result from the second response, otherwise the first responses
-+	 status is used.  Again we have some odd side-effects when the
-+	 second response is NOTFOUND because we overwrite *errnop and
-+	 *h_errnop that means that a first answer of NOTFOUND might see
-+	 its *errnop and *h_errnop values altered.  Whether it matters
-+	 in practice that a first response NOTFOUND has the wrong
-+	 *errnop and *h_errnop is undecided.
-+
-+     [4] If the first response is UNAVAIL we return that instead of
-+	 looking at the second response.  The expectation here is that
-+	 it will have failed similarly e.g. configuration failure.
-+
-+     [5] Testing this code is complicated by the fact that truncated
-+	 second response buffers might be returned as SUCCESS if the
-+	 first answer is a SUCCESS.  To fix this we add symmetry to
-+	 TRYAGAIN with the second response.  If the second response
-+	 is a recoverable error we now return TRYAGIN even if the first
-+	 response was SUCCESS.  */
-+
-   if (anslen1 > 0)
-     status = gaih_getanswer_slice(answer1, anslen1, qname,
- 				  &pat, &buffer, &buflen,
- 				  errnop, h_errnop, ttlp,
- 				  &first);
-+
-   if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
-        || (status == NSS_STATUS_TRYAGAIN
- 	   /* We want to look at the second answer in case of an
-@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1,
- 						     &pat, &buffer, &buflen,
- 						     errnop, h_errnop, ttlp,
- 						     &first);
-+      /* Use the second response status in some cases.  */
-       if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
- 	status = status2;
-+      /* Do not return a truncated second response (unless it was
-+         unavoidable e.g. unrecoverable TRYAGAIN).  */
-+      if (status == NSS_STATUS_SUCCESS
-+	  && (status2 == NSS_STATUS_TRYAGAIN
-+	      && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
-+	status = NSS_STATUS_TRYAGAIN;
-     }
- 
-   return status;
-Index: b/resolv/res_query.c
-===================================================================
---- a/resolv/res_query.c
-+++ b/resolv/res_query.c
-@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
- 		  {
- 		    free (*answerp2);
- 		    *answerp2 = NULL;
-+		    *nanswerp2 = 0;
- 		    *answerp2_malloced = 0;
- 		  }
- 	}
-@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
- 			  {
- 			    free (*answerp2);
- 			    *answerp2 = NULL;
-+			    *nanswerp2 = 0;
- 			    *answerp2_malloced = 0;
- 			  }
- 
-@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
- 	  {
- 	    free (*answerp2);
- 	    *answerp2 = NULL;
-+	    *nanswerp2 = 0;
- 	    *answerp2_malloced = 0;
- 	  }
- 	if (saved_herrno != -1)
-Index: b/resolv/res_send.c
-===================================================================
---- a/resolv/res_send.c
-+++ b/resolv/res_send.c
-@@ -1,3 +1,20 @@
-+/* Copyright (C) 2016 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
- /*
-  * Copyright (c) 1985, 1989, 1993
-  *    The Regents of the University of California.  All rights reserved.
-@@ -361,6 +378,8 @@ __libc_res_nsend(res_state statp, const
- #ifdef USE_HOOKS
- 	if (__glibc_unlikely (statp->qhook || statp->rhook))       {
- 		if (anssiz < MAXPACKET && ansp) {
-+			/* Always allocate MAXPACKET, callers expect
-+			   this specific size.  */
- 			u_char *buf = malloc (MAXPACKET);
- 			if (buf == NULL)
- 				return (-1);
-@@ -660,6 +679,77 @@ libresolv_hidden_def (res_nsend)
- 
- /* Private */
- 
-+/* The send_vc function is responsible for sending a DNS query over TCP
-+   to the nameserver numbered NS from the res_state STATP i.e.
-+   EXT(statp).nssocks[ns].  The function supports sending both IPv4 and
-+   IPv6 queries at the same serially on the same socket.
-+
-+   Please note that for TCP there is no way to disable sending both
-+   queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
-+   and sends the queries serially and waits for the result after each
-+   sent query.  This implemetnation should be corrected to honour these
-+   options.
-+
-+   Please also note that for TCP we send both queries over the same
-+   socket one after another.  This technically violates best practice
-+   since the server is allowed to read the first query, respond, and
-+   then close the socket (to service another client).  If the server
-+   does this, then the remaining second query in the socket data buffer
-+   will cause the server to send the client an RST which will arrive
-+   asynchronously and the client's OS will likely tear down the socket
-+   receive buffer resulting in a potentially short read and lost
-+   response data.  This will force the client to retry the query again,
-+   and this process may repeat until all servers and connection resets
-+   are exhausted and then the query will fail.  It's not known if this
-+   happens with any frequency in real DNS server implementations.  This
-+   implementation should be corrected to use two sockets by default for
-+   parallel queries.
-+
-+   The query stored in BUF of BUFLEN length is sent first followed by
-+   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
-+   serially on the same socket.
-+
-+   Answers to the query are stored firstly in *ANSP up to a max of
-+   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
-+   is non-NULL (to indicate that modifying the answer buffer is allowed)
-+   then malloc is used to allocate a new response buffer and ANSCP and
-+   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
-+   are needed but ANSCP is NULL, then as much of the response as
-+   possible is read into the buffer, but the results will be truncated.
-+   When truncation happens because of a small answer buffer the DNS
-+   packets header feild TC will bet set to 1, indicating a truncated
-+   message and the rest of the socket data will be read and discarded.
-+
-+   Answers to the query are stored secondly in *ANSP2 up to a max of
-+   *ANSSIZP2 bytes, with the actual response length stored in
-+   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
-+   is non-NULL (required for a second query) then malloc is used to
-+   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
-+   size and *ANSP2_MALLOCED is set to 1.
-+
-+   The ANSP2_MALLOCED argument will eventually be removed as the
-+   change in buffer pointer can be used to detect the buffer has
-+   changed and that the caller should use free on the new buffer.
-+
-+   Note that the answers may arrive in any order from the server and
-+   therefore the first and second answer buffers may not correspond to
-+   the first and second queries.
-+
-+   It is not supported to call this function with a non-NULL ANSP2
-+   but a NULL ANSCP.  Put another way, you can call send_vc with a
-+   single unmodifiable buffer or two modifiable buffers, but no other
-+   combination is supported.
-+
-+   It is the caller's responsibility to free the malloc allocated
-+   buffers by detecting that the pointers have changed from their
-+   original values i.e. *ANSCP or *ANSP2 has changed.
-+
-+   If errors are encountered then *TERRNO is set to an appropriate
-+   errno value and a zero result is returned for a recoverable error,
-+   and a less-than zero result is returned for a non-recoverable error.
-+
-+   If no errors are encountered then *TERRNO is left unmodified and
-+   a the length of the first response in bytes is returned.  */
- static int
- send_vc(res_state statp,
- 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
-@@ -669,11 +759,7 @@ send_vc(res_state statp,
- {
- 	const HEADER *hp = (HEADER *) buf;
- 	const HEADER *hp2 = (HEADER *) buf2;
--	u_char *ans = *ansp;
--	int orig_anssizp = *anssizp;
--	// XXX REMOVE
--	// int anssiz = *anssizp;
--	HEADER *anhp = (HEADER *) ans;
-+	HEADER *anhp = (HEADER *) *ansp;
- 	struct sockaddr *nsap = get_nsaddr (statp, ns);
- 	int truncating, connreset, n;
- 	/* On some architectures compiler might emit a warning indicating
-@@ -766,6 +852,8 @@ send_vc(res_state statp,
- 	 * Receive length & response
- 	 */
- 	int recvresp1 = 0;
-+	/* Skip the second response if there is no second query.
-+           To do that we mark the second response as received.  */
- 	int recvresp2 = buf2 == NULL;
- 	uint16_t rlen16;
-  read_len:
-@@ -802,40 +890,14 @@ send_vc(res_state statp,
- 	u_char **thisansp;
- 	int *thisresplenp;
- 	if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
-+		/* We have not received any responses
-+		   yet or we only have one response to
-+		   receive.  */
- 		thisanssizp = anssizp;
- 		thisansp = anscp ?: ansp;
- 		assert (anscp != NULL || ansp2 == NULL);
- 		thisresplenp = &resplen;
- 	} else {
--		if (*anssizp != MAXPACKET) {
--			/* No buffer allocated for the first
--			   reply.  We can try to use the rest
--			   of the user-provided buffer.  */
--#if __GNUC_PREREQ (4, 7)
--			DIAG_PUSH_NEEDS_COMMENT;
--			DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
--#endif
--#if _STRING_ARCH_unaligned
--			*anssizp2 = orig_anssizp - resplen;
--			*ansp2 = *ansp + resplen;
--#else
--			int aligned_resplen
--			  = ((resplen + __alignof__ (HEADER) - 1)
--			     & ~(__alignof__ (HEADER) - 1));
--			*anssizp2 = orig_anssizp - aligned_resplen;
--			*ansp2 = *ansp + aligned_resplen;
--#endif
--#if __GNUC_PREREQ (4, 7)
--			DIAG_POP_NEEDS_COMMENT;
--#endif
--		} else {
--			/* The first reply did not fit into the
--			   user-provided buffer.  Maybe the second
--			   answer will.  */
--			*anssizp2 = orig_anssizp;
--			*ansp2 = *ansp;
--		}
--
- 		thisanssizp = anssizp2;
- 		thisansp = ansp2;
- 		thisresplenp = resplen2;
-@@ -843,10 +905,14 @@ send_vc(res_state statp,
- 	anhp = (HEADER *) *thisansp;
- 
- 	*thisresplenp = rlen;
--	if (rlen > *thisanssizp) {
--		/* Yes, we test ANSCP here.  If we have two buffers
--		   both will be allocatable.  */
--		if (__glibc_likely (anscp != NULL))       {
-+	/* Is the answer buffer too small?  */
-+	if (*thisanssizp < rlen) {
-+		/* If the current buffer is non-NULL and it's not
-+		   pointing at the static user-supplied buffer then
-+		   we can reallocate it.  */
-+		if (thisansp != NULL && thisansp != ansp) {
-+			/* Always allocate MAXPACKET, callers expect
-+			   this specific size.  */
- 			u_char *newp = malloc (MAXPACKET);
- 			if (newp == NULL) {
- 				*terrno = ENOMEM;
-@@ -858,6 +924,9 @@ send_vc(res_state statp,
- 			if (thisansp == ansp2)
- 			  *ansp2_malloced = 1;
- 			anhp = (HEADER *) newp;
-+			/* A uint16_t can't be larger than MAXPACKET
-+			   thus it's safe to allocate MAXPACKET but
-+			   read RLEN bytes instead.  */
- 			len = rlen;
- 		} else {
- 			Dprint(statp->options & RES_DEBUG,
-@@ -1021,6 +1090,66 @@ reopen (res_state statp, int *terrno, in
- 	return 1;
- }
- 
-+/* The send_dg function is responsible for sending a DNS query over UDP
-+   to the nameserver numbered NS from the res_state STATP i.e.
-+   EXT(statp).nssocks[ns].  The function supports IPv4 and IPv6 queries
-+   along with the ability to send the query in parallel for both stacks
-+   (default) or serially (RES_SINGLKUP).  It also supports serial lookup
-+   with a close and reopen of the socket used to talk to the server
-+   (RES_SNGLKUPREOP) to work around broken name servers.
-+
-+   The query stored in BUF of BUFLEN length is sent first followed by
-+   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
-+   in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
-+
-+   Answers to the query are stored firstly in *ANSP up to a max of
-+   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
-+   is non-NULL (to indicate that modifying the answer buffer is allowed)
-+   then malloc is used to allocate a new response buffer and ANSCP and
-+   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
-+   are needed but ANSCP is NULL, then as much of the response as
-+   possible is read into the buffer, but the results will be truncated.
-+   When truncation happens because of a small answer buffer the DNS
-+   packets header feild TC will bet set to 1, indicating a truncated
-+   message, while the rest of the UDP packet is discarded.
-+
-+   Answers to the query are stored secondly in *ANSP2 up to a max of
-+   *ANSSIZP2 bytes, with the actual response length stored in
-+   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
-+   is non-NULL (required for a second query) then malloc is used to
-+   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
-+   size and *ANSP2_MALLOCED is set to 1.
-+
-+   The ANSP2_MALLOCED argument will eventually be removed as the
-+   change in buffer pointer can be used to detect the buffer has
-+   changed and that the caller should use free on the new buffer.
-+
-+   Note that the answers may arrive in any order from the server and
-+   therefore the first and second answer buffers may not correspond to
-+   the first and second queries.
-+
-+   It is not supported to call this function with a non-NULL ANSP2
-+   but a NULL ANSCP.  Put another way, you can call send_vc with a
-+   single unmodifiable buffer or two modifiable buffers, but no other
-+   combination is supported.
-+
-+   It is the caller's responsibility to free the malloc allocated
-+   buffers by detecting that the pointers have changed from their
-+   original values i.e. *ANSCP or *ANSP2 has changed.
-+
-+   If an answer is truncated because of UDP datagram DNS limits then
-+   *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
-+   the caller to retry with TCP.  The value *GOTSOMEWHERE is set to 1
-+   if any progress was made reading a response from the nameserver and
-+   is used by the caller to distinguish between ECONNREFUSED and
-+   ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
-+
-+   If errors are encountered then *TERRNO is set to an appropriate
-+   errno value and a zero result is returned for a recoverable error,
-+   and a less-than zero result is returned for a non-recoverable error.
-+
-+   If no errors are encountered then *TERRNO is left unmodified and
-+   a the length of the first response in bytes is returned.  */
- static int
- send_dg(res_state statp,
- 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
-@@ -1030,8 +1159,6 @@ send_dg(res_state statp,
- {
- 	const HEADER *hp = (HEADER *) buf;
- 	const HEADER *hp2 = (HEADER *) buf2;
--	u_char *ans = *ansp;
--	int orig_anssizp = *anssizp;
- 	struct timespec now, timeout, finish;
- 	struct pollfd pfd[1];
- 	int ptimeout;
-@@ -1064,6 +1191,8 @@ send_dg(res_state statp,
- 	int need_recompute = 0;
- 	int nwritten = 0;
- 	int recvresp1 = 0;
-+	/* Skip the second response if there is no second query.
-+           To do that we mark the second response as received.  */
- 	int recvresp2 = buf2 == NULL;
- 	pfd[0].fd = EXT(statp).nssocks[ns];
- 	pfd[0].events = POLLOUT;
-@@ -1227,55 +1356,56 @@ send_dg(res_state statp,
- 		int *thisresplenp;
- 
- 		if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
-+			/* We have not received any responses
-+			   yet or we only have one response to
-+			   receive.  */
- 			thisanssizp = anssizp;
- 			thisansp = anscp ?: ansp;
- 			assert (anscp != NULL || ansp2 == NULL);
- 			thisresplenp = &resplen;
- 		} else {
--			if (*anssizp != MAXPACKET) {
--				/* No buffer allocated for the first
--				   reply.  We can try to use the rest
--				   of the user-provided buffer.  */
--#if _STRING_ARCH_unaligned
--				*anssizp2 = orig_anssizp - resplen;
--				*ansp2 = *ansp + resplen;
--#else
--				int aligned_resplen
--				  = ((resplen + __alignof__ (HEADER) - 1)
--				     & ~(__alignof__ (HEADER) - 1));
--				*anssizp2 = orig_anssizp - aligned_resplen;
--				*ansp2 = *ansp + aligned_resplen;
--#endif
--			} else {
--				/* The first reply did not fit into the
--				   user-provided buffer.  Maybe the second
--				   answer will.  */
--				*anssizp2 = orig_anssizp;
--				*ansp2 = *ansp;
--			}
--
- 			thisanssizp = anssizp2;
- 			thisansp = ansp2;
- 			thisresplenp = resplen2;
- 		}
- 
- 		if (*thisanssizp < MAXPACKET
--		    /* Yes, we test ANSCP here.  If we have two buffers
--		       both will be allocatable.  */
--		    && anscp
-+		    /* If the current buffer is non-NULL and it's not
-+		       pointing at the static user-supplied buffer then
-+		       we can reallocate it.  */
-+		    && (thisansp != NULL && thisansp != ansp)
- #ifdef FIONREAD
-+		    /* Is the size too small?  */
- 		    && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
- 			|| *thisanssizp < *thisresplenp)
- #endif
-                     ) {
-+			/* Always allocate MAXPACKET, callers expect
-+			   this specific size.  */
- 			u_char *newp = malloc (MAXPACKET);
- 			if (newp != NULL) {
--				*anssizp = MAXPACKET;
--				*thisansp = ans = newp;
-+				*thisanssizp = MAXPACKET;
-+				*thisansp = newp;
- 				if (thisansp == ansp2)
- 				  *ansp2_malloced = 1;
- 			}
- 		}
-+		/* We could end up with truncation if anscp was NULL
-+		   (not allowed to change caller's buffer) and the
-+		   response buffer size is too small.  This isn't a
-+		   reliable way to detect truncation because the ioctl
-+		   may be an inaccurate report of the UDP message size.
-+		   Therefore we use this only to issue debug output.
-+		   To do truncation accurately with UDP we need
-+		   MSG_TRUNC which is only available on Linux.  We
-+		   can abstract out the Linux-specific feature in the
-+		   future to detect truncation.  */
-+		if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
-+			Dprint(statp->options & RES_DEBUG,
-+			       (stdout, ";; response may be truncated (UDP)\n")
-+			);
-+		}
-+
- 		HEADER *anhp = (HEADER *) *thisansp;
- 		socklen_t fromlen = sizeof(struct sockaddr_in6);
- 		assert (sizeof(from) <= fromlen);
diff --git a/gnu/packages/patches/glibc-locale-incompatibility.patch b/gnu/packages/patches/glibc-locale-incompatibility.patch
deleted file mode 100644
index baf30a79a7..0000000000
--- a/gnu/packages/patches/glibc-locale-incompatibility.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-This patch avoids an assertion failure when incompatible locale data
-is encountered:
-
-  https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html
-
---- glibc-2.22/locale/loadlocale.c	2015-09-22 17:16:02.321981548 +0200
-+++ glibc-2.22/locale/loadlocale.c	2015-09-22 17:17:34.814659064 +0200
-@@ -120,10 +120,11 @@
- 	 _nl_value_type_LC_XYZ array.  There are all pointers.  */
-       switch (category)
- 	{
--#define CATTEST(cat) \
--	case LC_##cat:							      \
--	  assert (cnt < (sizeof (_nl_value_type_LC_##cat)		      \
--			 / sizeof (_nl_value_type_LC_##cat[0])));	      \
-+#define CATTEST(cat)						\
-+	case LC_##cat:						\
-+	  if (cnt >= (sizeof (_nl_value_type_LC_##cat)		\
-+		      / sizeof (_nl_value_type_LC_##cat[0])))	\
-+	    goto puntdata;					\
- 	  break
- 	  CATTEST (NUMERIC);
- 	  CATTEST (TIME);
diff --git a/gnu/packages/pcre.scm b/gnu/packages/pcre.scm
index 24ecf905e0..248242af4d 100644
--- a/gnu/packages/pcre.scm
+++ b/gnu/packages/pcre.scm
@@ -42,7 +42,8 @@
                                  version "/pcre-" version ".tar.bz2")))
             (sha256
              (base32
-              "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r"))))
+              "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r"))
+            (patches (list (search-patch "pcre-CVE-2016-3191.patch")))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.8 MiB of HTML
@@ -50,7 +51,8 @@
              ("readline" ,readline)
              ("zlib" ,zlib)))
    (arguments
-    `(#:configure-flags '("--enable-utf"
+    '(#:disallowed-references ("doc")
+      #:configure-flags '("--enable-utf"
                           "--enable-pcregrep-libz"
                           "--enable-pcregrep-libbz2"
                           "--enable-pcretest-libreadline"
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index a517581e7d..1b5ca134fe 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -86,15 +86,7 @@
                         "-Dinstallstyle=lib/perl5"
                         "-Duseshrplib"
                         (string-append "-Dlocincpth=" libc "/include")
-                        (string-append "-Dloclibpth=" libc "/lib")
-
-                        ;; Force the library search path to contain only libc
-                        ;; because it is recorded in Config.pm and
-                        ;; Config_heavy.pl; we don't want to keep a reference
-                        ;; to everything that's in $LIBRARY_PATH at build
-                        ;; time (Binutils, bzip2, file, etc.)
-                        (string-append "-Dlibpth=" libc "/lib")
-                        (string-append "-Dplibpth=" libc "/lib"))))))
+                        (string-append "-Dloclibpth=" libc "/lib"))))))
 
          (add-before
           'strip 'make-shared-objects-writable
@@ -105,7 +97,34 @@
                    (lib (string-append out "/lib")))
               (for-each (lambda (dso)
                           (chmod dso #o755))
-                        (find-files lib "\\.so$"))))))))
+                        (find-files lib "\\.so$")))))
+
+         (add-after 'install 'remove-extra-references
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out     (assoc-ref outputs "out"))
+                    (libc    (assoc-ref inputs "libc"))
+                    (config1 (car (find-files (string-append out "/lib/perl5")
+                                              "^Config_heavy\\.pl$")))
+                    (config2 (find-files (string-append out "/lib/perl5")
+                                         "^Config\\.pm$")))
+               ;; Force the library search path to contain only libc because
+               ;; it is recorded in Config.pm and Config_heavy.pl; we don't
+               ;; want to keep a reference to everything that's in
+               ;; $LIBRARY_PATH at build time (GCC, Binutils, bzip2, file,
+               ;; etc.)
+               (substitute* config1
+                 (("^incpth=.*$")
+                  (string-append "incpth='" libc "/include'\n"))
+                 (("^(libpth|plibpth|libspath)=.*$" _ variable)
+                  (string-append variable "='" libc "/lib'\n")))
+
+               (for-each (lambda (file)
+                           (substitute* config2
+                             (("libpth => .*$")
+                              (string-append "libpth => '" libc
+                                             "/lib',\n"))))
+                         config2)
+               #t))))))
     (native-search-paths (list (search-path-specification
                                 (variable "PERL5LIB")
                                 (files '("lib/perl5/site_perl")))))
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 7593fc71ac..ef06c89298 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -93,7 +93,7 @@
 (define-public python-2
   (package
     (name "python")
-    (version "2.7.10")
+    (version "2.7.11")
     (source
      (origin
       (method url-fetch)
@@ -101,56 +101,44 @@
                           version "/Python-" version ".tar.xz"))
       (sha256
        (base32
-        "1h7zbrf9pkj29hlm18b10548ch9757f75m64l47sy75rh43p7lqw"))
-      (patches (search-patches
-                "python-2.7-search-paths.patch"
-                "python-2-deterministic-build-info.patch"
-                "python-2.7-source-date-epoch.patch"))))
+        "0iiz844riiznsyhhyy962710pz228gmhv8qi3yk4w4jhmx2lqawn"))
+      (patches (search-patches "python-2.7-search-paths.patch"
+                               "python-2-deterministic-build-info.patch"
+                               "python-2.7-source-date-epoch.patch"))
+      (modules '((guix build utils)))
+      ;; suboptimal to delete failing tests here, but if we delete them in the
+      ;; arguments then we need to make sure to strip out that phase when it
+      ;; gets inherited by python and python-minimal.
+      (snippet
+       '(begin
+          (for-each delete-file
+                    '("Lib/test/test_compileall.py"
+                      "Lib/test/test_distutils.py"
+                      "Lib/test/test_import.py"
+                      "Lib/test/test_shutil.py"
+                      "Lib/test/test_socket.py"
+                      "Lib/test/test_subprocess.py"))
+          #t))))
     (outputs '("out"
                "tk"))                     ;tkinter; adds 50 MiB to the closure
     (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f
-       ;; 268 tests OK.
-       ;; 103 tests failed:
-       ;;     test_distutils test_shutil test_signal test_site test_slice
-       ;;     test_smtplib test_smtpnet test_socket test_socketserver
-       ;;     test_softspace test_sort test_spwd test_sqlite test_ssl
-       ;;     test_startfile test_stat test_str test_strftime test_string
-       ;;     test_stringprep test_strop test_strptime test_strtod test_struct
-       ;;     test_structmembers test_structseq test_subprocess test_sunau
-       ;;     test_sunaudiodev test_sundry test_symtable test_syntax test_sys
-       ;;     test_sys_setprofile test_sys_settrace test_sysconfig test_tarfile
-       ;;     test_tcl test_telnetlib test_tempfile test_textwrap test_thread
-       ;;     test_threaded_import test_threadedtempfile test_threading
-       ;;     test_threading_local test_threadsignals test_time test_timeit
-       ;;     test_timeout test_tk test_tokenize test_tools test_trace
-       ;;     test_traceback test_transformer test_ttk_guionly test_ttk_textonly
-       ;;     test_tuple test_typechecks test_ucn test_unary
-       ;;     test_undocumented_details test_unicode test_unicode_file
-       ;;     test_unicodedata test_univnewlines test_univnewlines2k test_unpack
-       ;;     test_urllib test_urllib2 test_urllib2_localnet test_urllib2net
-       ;;     test_urllibnet test_urlparse test_userdict test_userlist
-       ;;     test_userstring test_uu test_uuid test_wait3 test_wait4
-       ;;     test_warnings test_wave test_weakref test_weakset test_whichdb
-       ;;     test_winreg test_winsound test_with test_wsgiref test_xdrlib
-       ;;     test_xml_etree test_xml_etree_c test_xmllib test_xmlrpc
-       ;;     test_xpickle test_xrange test_zipfile test_zipfile64
-       ;;     test_zipimport test_zipimport_support test_zlib
-       ;; 30 tests skipped:
+     `(;; 356 tests OK.
+       ;; 6 tests failed:
+       ;;     test_compileall test_distutils test_import test_shutil test_socket
+       ;;     test_subprocess
+       ;; 39 tests skipped:
        ;;     test_aepack test_al test_applesingle test_bsddb test_bsddb185
        ;;     test_bsddb3 test_cd test_cl test_codecmaps_cn test_codecmaps_hk
-       ;;     test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_crypt
-       ;;     test_curses test_dl test_gdb test_gl test_idle test_imageop
-       ;;     test_imgfile test_ioctl test_kqueue test_linuxaudiodev test_macos
-       ;;     test_macostools test_msilib test_nis test_ossaudiodev
-       ;;     test_scriptpackages
-       ;; 6 skips unexpected on linux2:
-       ;;     test_bsddb test_bsddb3 test_crypt test_gdb test_idle test_ioctl
-       ;; One of the typical errors:
-       ;; test_unicode
-       ;; test test_unicode crashed -- <type 'exceptions.OSError'>: [Errno 2] No
-       ;; such file or directory
+       ;;     test_codecmaps_jp test_codecmaps_kr test_codecmaps_tw test_curses
+       ;;     test_dl test_gdb test_gl test_imageop test_imgfile test_ioctl
+       ;;     test_kqueue test_linuxaudiodev test_macos test_macostools
+       ;;     test_msilib test_ossaudiodev test_scriptpackages test_smtpnet
+       ;;     test_socketserver test_startfile test_sunaudiodev test_timeout
+       ;;     test_tk test_ttk_guionly test_urllib2net test_urllibnet
+       ;;     test_winreg test_winsound test_zipfile64
+       ;; 4 skips unexpected on linux2:
+       ;;     test_bsddb test_bsddb3 test_gdb test_ioctl
        #:test-target "test"
        #:configure-flags
        (list "--enable-shared"                    ;allow embedding
@@ -336,8 +324,8 @@ data types.")
                   (lambda (old new)
                     (symlink (string-append python old)
                              (string-append bin "/" new)))
-                  `("python3" ,"pydoc3" ,"idle3")
-                  `("python"  ,"pydoc"  ,"idle"))))))
+                  '("python3" "pydoc3" "idle3")
+                  '("python"  "pydoc"  "idle"))))))
     (synopsis "Wrapper for the Python 3 commands")
     (description
      "This package provides wrappers for the commands of Python@tie{}3.x such
diff --git a/gnu/packages/texinfo.scm b/gnu/packages/texinfo.scm
index 4921b10124..d645ef4bc1 100644
--- a/gnu/packages/texinfo.scm
+++ b/gnu/packages/texinfo.scm
@@ -32,14 +32,14 @@
 (define-public texinfo
   (package
     (name "texinfo")
-    (version "6.0")
+    (version "6.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/texinfo/texinfo-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1r3i6jyynn6ab45fxw5bms8mflk9ry4qpj6gqyry72vfd5c47fhi"))))
+                "1ll3d0l8izygdxqz96wfr2631kxahifwdknpgsx2090vw963js5c"))))
     (build-system gnu-build-system)
     (native-inputs `(("procps" ,procps)))  ;one of the tests needs pgrep
     (inputs `(("ncurses" ,ncurses)
@@ -62,18 +62,6 @@ their source and the command-line Info reader.  The emphasis of the language
 is on expressing the content semantically, avoiding physical markup commands.")
     (license gpl3+)))
 
-(define-public texinfo-6.1
-  (package
-    (inherit texinfo)
-    (version "6.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/texinfo/texinfo-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1ll3d0l8izygdxqz96wfr2631kxahifwdknpgsx2090vw963js5c"))))))
-
 (define-public texinfo-5
   (package (inherit texinfo)
     (version "5.2")
@@ -105,10 +93,10 @@ is on expressing the content semantically, avoiding physical markup commands.")
   ;; The idea of this package is to have the standalone Info reader without
   ;; the dependency on Perl that 'makeinfo' drags.
   (package
-    (inherit texinfo-6.1)
+    (inherit texinfo)
     (name "info-reader")
     (arguments
-     `(#:disallowed-references ,(assoc-ref (package-inputs texinfo-6.1)
+     `(#:disallowed-references ,(assoc-ref (package-inputs texinfo)
                                            "perl")
 
        #:modules ((ice-9 ftw) (srfi srfi-1)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 0f4441d70c..4ec0ed7d34 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -122,7 +122,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.4.7")
+    (version "3.4.9")
     (source (origin
              (method url-fetch)
              (uri
@@ -133,7 +133,7 @@ living in the same process.")
                              "/gnutls-" version ".tar.xz"))
              (sha256
               (base32
-               "0nifi3mr5jhz608pidkp8cjs4vwfj1m2qczsjrgpnp99615rxgn1"))))
+               "0gvwyl0kdp1qpzbzp46wqfdzzrmwy9n54sgcjvvm1m1kpanlyna8"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -216,6 +216,10 @@ required structures.")
     `(#:parallel-build? #f
       #:parallel-tests? #f
       #:test-target "test"
+
+      ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+      ;; so we explicitly disallow it here.
+      #:disallowed-references ,(list (canonical-package perl))
       #:phases
       (modify-phases %standard-phases
         (add-before
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 126e997673..67bca6d894 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -222,7 +222,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.65")
+    (version "2.4.67")
     (source
       (origin
         (method url-fetch)
@@ -232,7 +232,7 @@ rasterisation.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1i4n7mz49l0j4kr0dg9n1j3hlc786ncqgj0v5fci1mz7pp40m5ki"))
+            "1gnf206zs8dwszvkv4z2hbvh23045z0q29kms127bqrv27hp2nzf"))
         (patches (search-patches "libdrm-symbol-check.patch"))))
     (build-system gnu-build-system)
     (inputs
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index e1f111e329..838ce34364 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -4,7 +4,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Raimon Grau <raimonster@gmail.com>
 ;;;
@@ -44,15 +44,14 @@
 (define-public expat
   (package
     (name "expat")
-    (version "2.1.0")
+    (version "2.1.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://sourceforge/expat/expat/"
-                                 version "/expat-" version ".tar.gz"))
+                                 version "/expat-" version ".tar.bz2"))
              (sha256
               (base32
-               "11pblz61zyxh68s5pdcbhc30ha1b2vfjd83aiwfg4vc15x3hadw2"))
-             (patches (search-patches "expat-CVE-2015-1283.patch"))))
+               "0ryyjgvy7jq0qb7a9mhc1giy3bzn56aiwrs8dpydqngplbjq9xdg"))))
     (build-system gnu-build-system)
     (home-page "http://www.libexpat.org/")
     (synopsis "Stream-oriented XML parser library written in C")
diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm
index a13ef1192c..6e62aeee57 100644
--- a/gnu/system/shadow.scm
+++ b/gnu/system/shadow.scm
@@ -131,12 +131,6 @@
 (define (default-skeletons)
   "Return the default skeleton files for /etc/skel.  These files are copied by
 'useradd' in the home directory of newly created user accounts."
-  (define fonts.conf-content
-    ;; SXML for ~/.config/fontconfig/fonts.conf.  This works around the fact
-    ;; that Fontconfig currently does not such this directory by default,
-    ;; thereby ignoring fonts installed system-wide (FIXME).
-    `(fontconfig (dir "/run/current-system/profile/share/fonts")))
-
   (define copy-guile-wm
     #~(begin
         (use-modules (guix build utils))
@@ -180,22 +174,6 @@ source /etc/profile\n"))
         (xdefaults (plain-file "Xdefaults" "\
 XTerm*utf8: always
 XTerm*metaSendsEscape: true\n"))
-        (fonts.conf (computed-file
-                     "fonts.conf"
-                     #~(begin
-                         (use-modules (guix build utils)
-                                      (sxml simple))
-
-                         (define dir
-                           (string-append #$output
-                                          "/fontconfig"))
-
-                         (mkdir-p dir)
-                         (call-with-output-file (string-append dir
-                                                             "/fonts.conf")
-                           (lambda (port)
-                             (sxml->xml '#$fonts.conf-content port))))
-                     #:modules '((guix build utils))))
         (gdbinit   (plain-file "gdbinit" "\
 # Tell GDB where to look for separate debugging files.
 set debug-file-directory ~/.guix-profile/lib/debug\n")))
@@ -204,7 +182,6 @@ set debug-file-directory ~/.guix-profile/lib/debug\n")))
       (".zlogin" ,zlogin)
       (".Xdefaults" ,xdefaults)
       (".guile-wm" ,guile-wm)
-      (".config" ,fonts.conf)
       (".gdbinit" ,gdbinit))))
 
 (define (skeleton-directory skeletons)