Merge branch 'master' into core-updates

2016-10-13 05:53:07 -04:00 · 2016-10-13 05:53:07 -04:00 · 061d7f3bd2
parent f2ec23d18e 1cc213850a
commit 061d7f3bd2
15 changed files with 873 additions and 52 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -495,7 +495,10 @@ gen-AUTHORS:
 # Make sure we're not shipping a file that embeds a local /gnu/store file name.
 assert-no-store-file-names:
 	$(AM_V_at)if grep -r --exclude=*.texi --exclude=*.info			\
-	     "$(storedir)/[a-z0-9]{32}-" $(distdir) ;				\
+	     --exclude=*.info-[0-9] --exclude=*.dot				\
 	     --exclude=*.eps --exclude-dir=bootstrap				\
 	     --exclude=guix-prettify.el						\
 	     -E "$(storedir)/[a-z0-9]{32}-" $(distdir) ;			\
 	then									\
 	  echo "error: store file names embedded in the distribution" >&2 ;	\
 	  exit 1 ;								\
--- a/build-aux/compile-all.scm
+++ b/build-aux/compile-all.scm
@ -76,6 +76,12 @@
                        #:output-file go
                        #:opts `(#:warnings ,warnings)))))))
 ;; Install a SIGINT handler to give unwind handlers in 'compile-file' an
 ;; opportunity to run upon SIGINT and to remove temporary output files.
 (sigaction SIGINT
  (lambda args
    (exit 1)))
 (match (command-line)
  ((_ . files)
   (let ((files (filter file-needs-compilation? files)))
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -221,6 +221,7 @@ Services
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
 * Web Services::                Web servers.
 * Network File System::         NFS related services.
 * Miscellaneous Services::      Other services.
 Defining Services
@ -7648,6 +7649,7 @@ declaration.
 * Database Services::           SQL databases.
 * Mail Services::               IMAP, POP3, SMTP, and all that.
 * Web Services::                Web servers.
 * Network File System::         NFS related services.
 * Miscellaneous Services::      Other services.
@end menu
@ -11198,14 +11200,21 @@ directories are created when the service is activated.
@end deffn
-@node Miscellaneous Services
+@node Network File System
-@subsubsection Miscellaneous Services
+@subsubsection Network File System
@cindex NFS
 The @code{(gnu services nfs)} module provides the following services,
 which are most commonly used in relation to mounting or exporting
 directory trees as @dfn{network file systems} (NFS).
@subsubheading RPC Bind Service
@cindex rpcbind
-The @code{(gnu services nfs)} module provides the following:
+The RPC Bind service provides a facility to map program numbers into
 universal addresses.
 Many NFS related services use this facility.  Hence it is automatically
 started when a dependent service starts.
@defvr {Scheme Variable} rpcbind-service-type
 A service type  for the RPC portmapper daemon.
@ -11226,6 +11235,91 @@ instance.
@end table
@end deftp
@subsubheading Pipefs Pseudo File System
@cindex pipefs
@cindex rpc_pipefs
 The pipefs file system is used to transfer NFS related data
 between the kernel and user space programs.
@defvr {Scheme Variable} pipefs-service-type
 A service type for the pipefs pseudo file system.
@end defvr
@deftp {Data Type} pipefs-configuration
 Data type representing the configuration of the pipefs pseudo file system service.
 This type has the following parameters:
@table @asis
@item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"})
 The directory to which the file system is to be attached.
@end table
@end deftp
@subsubheading GSS Daemon Service
@cindex GSSD
@cindex GSS
@cindex global security system
 The @dfn{global security system} (GSS) daemon provides strong security for RPC
 based protocols.
 Before exchanging RPC requests an RPC client must establish a security
 context.  Typically this is done using the Kerberos command @command{kinit}
 or automatically at login time using PAM services.
@defvr {Scheme Variable} gss-service-type
 A service type for the Global Security System (GSS) daemon.
@end defvr
@deftp {Data Type} gss-configuration
 Data type representing the configuration of the GSS daemon service.
 This type has the following parameters:
@table @asis
@item @code{nfs-utils} (default: @code{nfs-utils})
 The package in which the @command{rpc.gssd} command is to be found.
@item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
 The directory where the pipefs file system is mounted.
@end table
@end deftp
@subsubheading IDMAP Daemon Service
@cindex idmapd
@cindex name mapper
 The idmap daemon service provides mapping between user IDs and user names.
 Typically it is required in order to access file systems mounted via NFSv4.
@defvr {Scheme Variable} idmap-service-type
 A service type for the Identity Mapper (IDMAP) daemon.
@end defvr
@deftp {Data Type} idmap-configuration
 Data type representing the configuration of the IDMAP daemon service.
 This type has the following parameters:
@table @asis
@item @code{nfs-utils} (default: @code{nfs-utils})
 The package in which the @command{rpc.idmapd} command is to be found.
@item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
 The directory where the pipefs file system is mounted.
@item @code{domain} (default: @code{#f})
 The local NFSv4 domain name.
 This must be a string or @code{#f}.
 If it is @code{#f} then the daemon will use the host's fully qualified domain name.
@end table
@end deftp
@node Miscellaneous Services
@subsubsection Miscellaneous Services
@cindex lirc
@subsubheading Lirc Service
@ -13083,6 +13177,54 @@ starts with @code{py} (e.g. @code{pytz}), we keep it and prefix it as
 described above.
@subsubsection Specifying Dependencies
@cindex inputs, for Python packages
 Dependency information for Python packages is usually available in the
 package source tree, with varying degrees of accuracy: in the
@file{setup.py} file, in @file{requirements.txt}, or in @file{tox.ini}.
 Your mission, when writing a recipe for a Python package, is to map
 these dependencies to the appropriate type of ``input'' (@pxref{package
 Reference, inputs}).  Although the @code{pypi} importer normally does a
 good job (@pxref{Invoking guix import}), you may want to check the
 following check list to determine which dependency goes where.
@itemize
@item
 Python dependencies required at run time go into
@code{propagated-inputs}.  They are typically defined with the
@code{install_requires} keyword in @file{setup.py}, or in the
@file{requirements.txt} file.
@item
 Python packages required only at build time---e.g., those listed with
 the @code{setup_requires} keyword in @file{setup.py}---or only for
 testing---e.g., those in @code{tests_require}---go into
@code{native-inputs}.  The rationale is that (1) they do not need to be
 propagated because they are not needed at run time, and (2) in a
 cross-compilation context, it's the ``native'' input that we'd want.
 Examples are @code{setuptools}, which is usually needed only at build
 time, or the @code{pytest}, @code{mock}, and @code{nose} test
 frameworks.  Of course if any of these packages is also required at
 run-time, it needs to go to @code{propagated-inputs}.
@item
 Anything that does not fall in the previous categories goes to
@code{inputs}, for example programs or C libraries required for building
 Python packages containing C extensions.
@item
 If a Python package has optional dependencies (@code{extras_require}),
 it is up to you to decide whether to add them or not, based on their
 usefulness/overhead ratio (@pxref{Submitting Patches, @command{guix
 size}}).
@end itemize
@node Perl Modules
@subsection Perl Modules
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -538,7 +538,12 @@ dist_patch_DATA =						\
  %D%/packages/patches/gd-fix-tests-on-i686.patch		\
  %D%/packages/patches/gegl-CVE-2012-4433.patch			\
  %D%/packages/patches/geoclue-config.patch			\
  %D%/packages/patches/ghostscript-CVE-2013-5653.patch		\
  %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
  %D%/packages/patches/ghostscript-CVE-2016-7976.patch		\
  %D%/packages/patches/ghostscript-CVE-2016-7978.patch		\
  %D%/packages/patches/ghostscript-CVE-2016-7979.patch		\
  %D%/packages/patches/ghostscript-CVE-2016-8602.patch		\
  %D%/packages/patches/ghostscript-runpath.patch		\
  %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
  %D%/packages/patches/glib-tests-timer.patch			\
@ -573,6 +578,8 @@ dist_patch_DATA =						\
  %D%/packages/patches/gtk3-respect-GUIX_GTK3_PATH.patch	\
  %D%/packages/patches/gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch \
  %D%/packages/patches/gtkglext-disable-disable-deprecated.patch \
  %D%/packages/patches/hdf4-shared-fortran.patch 		\
  %D%/packages/patches/hdf4-reproducibility.patch 		\
  %D%/packages/patches/hdf5-config-date.patch			\
  %D%/packages/patches/hdf-eos5-build-shared.patch 		\
  %D%/packages/patches/hdf-eos5-remove-gctp.patch		\
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;;
@ -127,6 +127,7 @@ printing, and psresize, for adjusting page sizes.")
  (package
   (name "ghostscript")
   (version "9.14.0")
   (replacement ghostscript/fixed)
   (source (origin
            (method url-fetch)
            (uri (string-append "mirror://gnu/ghostscript/gnu-ghostscript-"
@ -197,8 +198,22 @@ output file formats and printers.")
   (license license:agpl3+)
   (home-page "http://www.gnu.org/software/ghostscript/")))
 (define ghostscript/fixed
  (package
    (inherit ghostscript)
    (replacement #f)  ; Prevent ghostscript/x from inheriting the replacement
    (source (origin
              (inherit (package-source ghostscript))
              (patches (search-patches "ghostscript-CVE-2013-5653.patch"
                                       "ghostscript-CVE-2015-3228.patch"
                                       "ghostscript-CVE-2016-7976.patch"
                                       "ghostscript-CVE-2016-7978.patch"
                                       "ghostscript-CVE-2016-7979.patch"
                                       "ghostscript-CVE-2016-8602.patch"
                                       "ghostscript-runpath.patch"))))))
 (define-public ghostscript/x
-  (package (inherit ghostscript)
+  (package (inherit ghostscript/fixed)
    (name (string-append (package-name ghostscript) "-with-x"))
    (inputs `(("libxext" ,libxext)
              ("libxt" ,libxt)
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@ -3,6 +3,7 @@
 ;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -24,6 +25,7 @@
  #:use-module (guix build-system gnu)
  #:use-module (guix build-system perl)
  #:use-module (guix download)
  #:use-module (guix hg-download)
  #:use-module (guix utils)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (gnu packages)
@ -41,17 +43,20 @@
 (define-public imagemagick
  (package
    (name "imagemagick")
-    (version "6.9.5-10")
+    (version "6.9.6-2")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://imagemagick/ImageMagick-"
                                 version ".tar.xz"))
             (sha256
              (base32
-               "0cxjzqzca80vf6sfx4z9zq4wq2w0vy9ajp9kf88jb4na8mwsn198"))))
+               "139h9lycxw3lszn052m34xm0rqyanin4nb529vxjcrkkzqilh91r"))))
    (build-system gnu-build-system)
    (arguments
     `(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
       ;; FIXME: The test suite succeeded before version 6.9.6-2.
       ;; Try enabling it again with newer releases.
       #:tests? #f
       #:phases (modify-phases %standard-phases
                  (add-before
                   'build 'pre-build
@ -154,17 +159,24 @@ script.")
    (license (package-license imagemagick))))
 (define-public graphicsmagick
  (let ((changeset "56c8cae")  ; 3e01b
        (revision "1"))
    (package
      (name "graphicsmagick")
-    (version "1.3.25")
+      (version (string-append "1.3.25-" revision "." changeset))
      (source (origin
-             (method url-fetch)
+                (method hg-fetch)
-             (uri (string-append "ftp://ftp.graphicsmagick.org/pub/"
+                (uri (hg-reference
-                                 "GraphicsMagick/" (version-major+minor version)
+                      (url "http://hg.code.sf.net/p/graphicsmagick/code")
-                                 "/GraphicsMagick-" version ".tar.xz"))
+                      (changeset changeset)))
                (file-name (string-append name "-" version "-checkout"))
                ;;(method url-fetch)
                ;;(uri (string-append "ftp://ftp.graphicsmagick.org/pub/"
                ;;                    "GraphicsMagick/" (version-major+minor version)
                ;;                    "/GraphicsMagick-" version ".tar.xz"))
                (sha256
                 (base32
-               "17xcc7pfcmiwpfr1g8ys5a7bdnvqzka53vg3kkzhwwz0s99gljyn"))))
+                  "1s9apvkn0kxr6i4i5wlkfw1prja02rgk689n3cf822zc0dkycxdh"))))
      (build-system gnu-build-system)
      (arguments
       `(#:configure-flags
@ -198,4 +210,4 @@ script.")
       "GraphicsMagick provides a comprehensive collection of utilities,
 programming interfaces, and GUIs, to support file format conversion, image
 processing, and 2D vector rendering.")
-    (license license:expat)))
+      (license license:expat))))
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@ -445,6 +445,65 @@ computations.")
    (home-page "https://github.com/OkoSanto/GCTP")
    (license license:public-domain))) ;https://www2.usgs.gov/laws/info_policies.html
 (define-public hdf4
  (package
    (name "hdf4")
    (version "4.2.11")
    (source
     (origin
       (method url-fetch)
       (uri (string-append "https://support.hdfgroup.org/ftp/HDF/releases/HDF"
                           version "/src/hdf-" version ".tar.bz2"))
       (sha256
        (base32 "16yr50j845zlfx20skmw3y75ww77akk9gg0affjqkg66ih5r03mv"))
       (patches (search-patches "hdf4-reproducibility.patch"
                                "hdf4-shared-fortran.patch"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("gfortran" ,gfortran)
       ("bison" ,bison)
       ("flex" ,flex)))
    (inputs
     `(("zlib" ,zlib)
       ("libjpeg" ,libjpeg)))
    (arguments
     `(#:parallel-tests? #f
       #:configure-flags '("--enable-shared")
       #:phases
       (modify-phases %standard-phases
         (add-before 'configure 'patchbuild
           (lambda _
             (substitute*
                 '("mfhdf/hdfimport/testutil.sh.in" "hdf/util/testutil.sh.in")
               (("/bin/rm") "rm")
               (("/bin/mkdir") "mkdir"))
             (substitute* (find-files "." "^Makefile\\.in$")
               (("@HDF_BUILD_XDR_TRUE@XDR_ADD = \
 -R\\$\\(abs_top_builddir\\)/mfhdf/xdr/\\.libs") "")
               (("@HDF_BUILD_SHARED_TRUE@AM_LDFLAGS = \
 -R\\$\\(abs_top_builddir\\)/mfhdf/libsrc/\\.libs \
 -R\\$\\(abs_top_builddir\\)/hdf/src/\\.libs \\$\\(XDR_ADD\\)") "")))))))
    (home-page "https://www.hdfgroup.org/products/hdf4/")
    (synopsis
     "Library and multi-object file format for storing and managing data")
    (description "HDF4 is a library and multi-object file format for storing
 and managing data between machines.  HDF4 is an older hierarchical data format,
 incompatible with HDF5.")
    (license
     (license:non-copyleft
      "https://www.hdfgroup.org/ftp/HDF/HDF_Current/src/unpacked/COPYING"))))
 (define-public hdf4-alt
  (package
    (inherit hdf4)
    (name "hdf4-alt")
    (arguments
     (substitute-keyword-arguments (package-arguments hdf4)
       ((#:configure-flags flags) `(cons* "--disable-netcdf" ,flags))))
    (synopsis
     "HDF4 without netCDF API, can be combined with the regular netCDF library")))
 (define-public hdf5
  (package
    (name "hdf5")
--- a/gnu/packages/patches/ghostscript-CVE-2013-5653.patch
+++ b/gnu/packages/patches/ghostscript-CVE-2013-5653.patch
@ -0,0 +1,85 @@
 The following patch was adapted for GNU Ghostscript
 by Mark H Weaver <mhw@netris.org> based on:
 http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
 From ab109aaeb3ddba59518b036fb288402a65cf7ce8 Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Sat, 5 Mar 2016 14:56:03 -0800
 Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER
 ---
 Resource/Init/gs_init.ps |  2 ++
 psi/zfile.c              | 36 ++++++++++++++++++++----------------
 2 files changed, 22 insertions(+), 16 deletions(-)
 diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
 index fa33d88..99888ac 100644
 --- a/Resource/Init/gs_init.ps
 +++ b/Resource/Init/gs_init.ps
@@ -2018,6 +2018,7 @@ readonly def
 /.locksafe {
   .locksafe_userparams
 +  systemdict /getenv {pop //false} put
   % setpagedevice has the side effect of clearing the page, but
   % we will just document that. Using setpagedevice keeps the device
   % properties and pagedevice .LockSafetyParams in agreement even
@@ -2036,6 +2037,7 @@ readonly def
 %%
 /.locksafeglobal {
   .locksafe_userparams
 +  systemdict /getenv {pop //false} put
   % setpagedevice has the side effect of clearing the page, but
   % we will just document that. Using setpagedevice keeps the device
   % properties and pagedevice .LockSafetyParams in agreement even
 diff --git a/psi/zfile.c b/psi/zfile.c
 index 320ecd5..0b9f299 100644
 --- a/psi/zfile.c
 +++ b/psi/zfile.c
@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
     if (len < devlen)
         return_error(e_rangecheck);     /* not even room for device len */
 -    memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
 -    code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
 -                len - devlen);
 -    if (code == ~(uint) 0) {    /* all done */
 -        esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
 -        return o_pop_estack;
 -    } else if (code > len)      /* overran string */
 -        return_error(e_rangecheck);
 -    else {
 -        push(1);
 -        ref_assign(op, pscratch);
 -        r_set_size(op, code + devlen);
 -        push_op_estack(file_continue);  /* come again */
 -        *++esp = pscratch[2];   /* proc */
 -        return o_push_estack;
 -    }
 +
 +    do {
 +        memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
 +        code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
 +                    len - devlen);
 +        if (code == ~(uint) 0) {    /* all done */
 +            esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
 +            return o_pop_estack;
 +        } else if (code > len)      /* overran string */
 +            return_error(e_rangecheck);
 +        else if (iodev != iodev_default(imemory)
 +              || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
 +            push(1);
 +            ref_assign(op, pscratch);
 +            r_set_size(op, code + devlen);
 +            push_op_estack(file_continue);  /* come again */
 +            *++esp = pscratch[2];   /* proc */
 +            return o_push_estack;
 +        }
 +    } while(1);
 }
 /* Cleanup procedure for enumerating files */
 static int
 -- 
 2.9.1
--- a/gnu/packages/patches/ghostscript-CVE-2016-7976.patch
+++ b/gnu/packages/patches/ghostscript-CVE-2016-7976.patch
@ -0,0 +1,185 @@
 The following patch was adapted for GNU Ghostscript
 by Mark H Weaver <mhw@netris.org> based on:
 http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d
 From 6d444c273da5499a4cd72f21cb6d4c9a5256807d Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Wed, 5 Oct 2016 09:55:55 +0100
 Subject: [PATCH] Bug 697178: Add a file permissions callback
 For the rare occasions when the graphics library directly opens a file
 (currently for reading), this allows us to apply any restrictions on
 file access normally applied in the interpteter.
 ---
 base/gsicc_manage.c | 10 ++++++----
 base/gslibctx.c     | 12 +++++++++++-
 base/gslibctx.h     |  7 +++++++
 psi/imain.c         |  2 ++
 psi/int.mak         |  2 +-
 psi/zfile.c         | 19 +++++++++++++++++++
 psi/zfile.h         |  7 +++++++
 7 files changed, 53 insertions(+), 6 deletions(-)
 diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
 index 931c2a6..e9c09c3 100644
 --- a/base/gsicc_manage.c
 +++ b/base/gsicc_manage.c
@@ -1028,10 +1028,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
     }
     /* First just try it like it is */
 -    str = sfopen(pname, "rb", mem_gc);
 -    if (str != NULL) {
 -        *strp = str;
 -        return 0;
 +    if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
 +        str = sfopen(pname, "rb", mem_gc);
 +        if (str != NULL) {
 +            *strp = str;
 +            return 0;
 +        }
     }
     /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
 diff --git a/base/gslibctx.c b/base/gslibctx.c
 index eaa0458..37ce1ca 100644
 --- a/base/gslibctx.c
 +++ b/base/gslibctx.c
@@ -121,7 +121,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
         mem->gs_lib_ctx = NULL;
         return -1;
     }
 - 
 +    pio->client_check_file_permission = NULL;
     gp_get_realtime(pio->real_time_0);
     return 0;
@@ -262,3 +262,13 @@ void errflush(const gs_memory_t *mem)
         fflush(mem->gs_lib_ctx->fstderr);
     /* else nothing to flush */
 }
 +
 +int
 +gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
 +{
 +    int code = 0;
 +    if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
 +        code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
 +    }
 +    return code;
 +}
 diff --git a/base/gslibctx.h b/base/gslibctx.h
 index 7a4e110..020e2d9 100644
 --- a/base/gslibctx.h
 +++ b/base/gslibctx.h
@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
 #  define gs_font_dir_DEFINED
 typedef struct gs_font_dir_s gs_font_dir;
 #endif
 +
 +typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
 +
 typedef struct gs_lib_ctx_s
 {
     gs_memory_t *memory;  /* mem->gs_lib_ctx->memory == mem */
@@ -59,6 +62,7 @@ typedef struct gs_lib_ctx_s
     bool dict_auto_expand;  /* ps dictionary: false level 1 true level 2 or 3 */
     /* A table of local copies of the IODevices */
     struct gx_io_device_s **io_device_table;
 +    client_check_file_permission_t client_check_file_permission;
     /* Define the default value of AccurateScreens that affects setscreen
        and setcolorscreen. */
     bool screen_accurate_screens;
@@ -108,6 +112,9 @@ int
 void gs_lib_ctx_set_icc_directory(const gs_memory_t *mem_gc, const char* pname,
                         int dir_namelen);
 +int
 +gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
 +
 #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
 #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
 diff --git a/psi/imain.c b/psi/imain.c
 index 9a9bb5d..6874128 100644
 --- a/psi/imain.c
 +++ b/psi/imain.c
@@ -57,6 +57,7 @@
 #include "ivmspace.h"
 #include "idisp.h"              /* for setting display device callback */
 #include "iplugin.h"
 +#include "zfile.h"
 #ifdef PACIFY_VALGRIND
 #include "valgrind.h"
@@ -215,6 +216,7 @@ gs_main_init1(gs_main_instance * minst)
                                            "the_gs_name_table");
             if (code < 0)
                 return code;
 +            mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
         }
         code = obj_init(&minst->i_ctx_p, &idmem);  /* requires name_init */
         if (code < 0)
 diff --git a/psi/int.mak b/psi/int.mak
 index 4654afc..bb30d51 100644
 --- a/psi/int.mak
 +++ b/psi/int.mak
@@ -1868,7 +1868,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
  $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
  $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
  $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
 - $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)
 + $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)
 	$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
 #****** $(CCINT) interp.c
 diff --git a/psi/zfile.c b/psi/zfile.c
 index 2c6c958..2f27f82 100644
 --- a/psi/zfile.c
 +++ b/psi/zfile.c
@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len,
     return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
 }
 +/* z_check_file_permissions: see zfile.h for explanation
 + */
 +int
 +z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
 +{
 +    i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
 +    gs_parsed_file_name_t pname;
 +    const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
 +    int code = gs_parse_file_name(&pname, fname, len, imemory);
 +    if (code < 0)
 +        return code;
 +
 +    if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
 +        return e_invalidfileaccess;
 +        
 +    code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
 +    return code;
 +}
 +
 /* <name_string> <access_string> file <file> */
 int                             /* exported for zsysvm.c */
 zfile(i_ctx_t *i_ctx_p)
 diff --git a/psi/zfile.h b/psi/zfile.h
 index fdf1373..a9399c7 100644
 --- a/psi/zfile.h
 +++ b/psi/zfile.h
@@ -22,4 +22,11 @@
 int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
            const char *file_access, stream **ps, gs_memory_t *mem);
 +/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
 + * to allow applying the above permissions checks when opening file(s) from
 + * the graphics library
 + */
 +int
 +z_check_file_permissions(gs_memory_t *mem, const char *fname,
 +                                 const int len, const char *permission);
 #endif
 -- 
 2.9.1
--- a/gnu/packages/patches/ghostscript-CVE-2016-7978.patch
+++ b/gnu/packages/patches/ghostscript-CVE-2016-7978.patch
@ -0,0 +1,25 @@
 From 6f749c0c44e7b9e09737b9f29edf29925a34f0cf Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Wed, 5 Oct 2016 09:59:25 +0100
 Subject: [PATCH] Bug 697179: Reference count device icc profile
 when copying a device
 ---
 base/gsdevice.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/base/gsdevice.c b/base/gsdevice.c
 index 778106f..aea986a 100644
 --- a/base/gsdevice.c
 +++ b/base/gsdevice.c
@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem,
     dev->memory = mem;
     dev->retained = !internal;
     rc_init(dev, mem, (internal ? 0 : 1));
 +    rc_increment(dev->icc_struct);
 }
 void
 -- 
 2.9.1
--- a/gnu/packages/patches/ghostscript-CVE-2016-7979.patch
+++ b/gnu/packages/patches/ghostscript-CVE-2016-7979.patch
@ -0,0 +1,48 @@
 The following patch was adapted for GNU Ghostscript
 by Mark H Weaver <mhw@netris.org> based on:
 http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=875a0095f37626a721c7ff57d606a0f95af03913
 From 875a0095f37626a721c7ff57d606a0f95af03913 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <ken.sharp@artifex.com>
 Date: Wed, 5 Oct 2016 10:10:58 +0100
 Subject: [PATCH] DSC parser - validate parameters
 Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."
 Regardless of any security implications, its simply wrong for a PostScript
 operator not to validate its parameter(s).
 No differences expected.
 ---
 psi/zdscpars.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
 diff --git a/psi/zdscpars.c b/psi/zdscpars.c
 index c05e154..9b4b605 100644
 --- a/psi/zdscpars.c
 +++ b/psi/zdscpars.c
@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
     ref local_ref;
     int code;
     os_ptr const op = osp;
 -    dict * const pdict = op->value.pdict;
 -    gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
 -    dsc_data_t * const data =
 -        gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
 +    dict *pdict;
 +    gs_memory_t *mem;
 +    dsc_data_t *data;
 +    check_read_type(*op, t_dictionary);
 +
 +    pdict = op->value.pdict;
 +    mem = (gs_memory_t *)dict_memory(pdict);
 +
 +    data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
     if (!data)
         return_error(e_VMerror);
     data->document_level = 0;
 -- 
 2.9.1
--- a/gnu/packages/patches/ghostscript-CVE-2016-8602.patch
+++ b/gnu/packages/patches/ghostscript-CVE-2016-8602.patch
@ -0,0 +1,47 @@
 The following patch was adapted for GNU Ghostscript
 by Mark H Weaver <mhw@netris.org> based on:
 http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
 From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Sat, 8 Oct 2016 16:10:27 +0100
 Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
 and param types
 ---
 psi/zht2.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/psi/zht2.c b/psi/zht2.c
 index fb4a264..dfa27a4 100644
 --- a/psi/zht2.c
 +++ b/psi/zht2.c
@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
     gs_memory_t *mem;
     uint edepth = ref_stack_count(&e_stack);
     int npop = 2;
 -    int dict_enum = dict_first(op);
 +    int dict_enum;
     ref rvalue[2];
     int cname, colorant_number;
     byte * pname;
     uint name_size;
     int halftonetype, type = 0;
     gs_state *pgs = igs;
 -    int space_index = r_space_index(op - 1);
 +    int space_index;
 +
 +    if (ref_stack_count(&o_stack) < 2)
 +        return_error(e_stackunderflow);
 +    check_type(*op, t_dictionary);
 +    check_type(*(op - 1), t_dictionary);
 +
 +    dict_enum = dict_first(op);
 +    space_index = r_space_index(op - 1);
     mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
 -- 
 2.9.1
--- a/gnu/packages/patches/hdf4-reproducibility.patch
+++ b/gnu/packages/patches/hdf4-reproducibility.patch
@ -0,0 +1,35 @@
 Remove/patch unreproducible config data.
 diff --git a/configure b/configure
 index eb9f346..ebab94d 100755
 --- a/configure
 +++ b/configure
@@ -23163,7 +23163,7 @@ H4_VERSION="`cut -d' ' -f3 $srcdir/README.txt | head -1`"
 ## Configuration date
 - CONFIG_DATE="`date`"
 +CONFIG_DATE=`date -u -d "@$SOURCE_DATE_EPOCH"`
 ## User doing the configuration
  CONFIG_USER="`whoami`@`hostname`"
 diff --git a/libhdf4.settings.in b/libhdf4.settings.in
 index 1d9bbb9..4180d72 100644
 --- a/libhdf4.settings.in
 +++ b/libhdf4.settings.in
@@ -5,10 +5,10 @@ General Information:
 -------------------
 		   HDF4 Version: @H4_VERSION@
 		  Configured on: @CONFIG_DATE@
 -		  Configured by: @CONFIG_USER@
 +		  Configured by: guix
 		 Configure mode: @CONFIG_MODE@
 -		    Host system: @host_cpu@-@host_vendor@-@host_os@
 -              Uname information: @UNAME_INFO@
 +		    Host system: guix
 +              Uname information: guix
 		      Libraries: @STATIC_SHARED@
 	     Installation point: @prefix@
 -- 
 2.10.0
--- a/gnu/packages/patches/hdf4-shared-fortran.patch
+++ b/gnu/packages/patches/hdf4-shared-fortran.patch
@ -0,0 +1,25 @@
 Allow building a shared library with Fortran.
 ---
 configure | 6 ------
 1 file changed, 6 deletions(-)
 diff --git a/configure b/configure
 index f37d2fa..eb9f346 100755
 --- a/configure
 +++ b/configure
@@ -6141,12 +6141,6 @@ if test "X${enable_shared}" != "Xyes"; then
     enable_shared="no"
 fi
 -if test "X${enable_shared}" = "Xyes"; then
 -    if test "X${BUILD_FORTRAN}" = "Xyes"; then
 -        as_fn_error $? "Cannot build shared fortran libraries. Please configure with --disable-fortran flag." "$LINENO" 5
 -    fi
 -fi
 -
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5
 $as_echo_n "checking whether ln -s works... " >&6; }
 -- 
 2.10.0
--- a/gnu/services/nfs.scm
+++ b/gnu/services/nfs.scm
@ -20,11 +20,31 @@
  #:use-module (gnu)
  #:use-module (gnu services shepherd)
  #:use-module (gnu packages onc-rpc)
  #:use-module (gnu packages linux)
  #:use-module (guix)
  #:use-module (guix records)
  #:use-module (ice-9 match)
  #:use-module (gnu build file-systems)
  #:export (rpcbind-service-type
            rpcbind-configuration
-            rpcbind-configuration?))
+            rpcbind-configuration?
            pipefs-service-type
            pipefs-configuration
            pipefs-configuration?
            idmap-service-type
            idmap-configuration
            idmap-configuration?
            gss-service-type
            gss-configuration
            gss-configuration?))
 (define default-pipefs-directory "/var/lib/nfs/rpc_pipefs")
 (define-record-type* <rpcbind-configuration>
  rpcbind-configuration make-rpcbind-configuration
@ -52,3 +72,110 @@
      (start #~(make-forkexec-constructor #$rpcbind-command))
      (stop #~(make-kill-destructor))))))
 (define-record-type* <pipefs-configuration>
  pipefs-configuration make-pipefs-configuration
  pipefs-configuration?
  (mount-point           pipefs-configuration-mount-point
                         (default default-pipefs-directory)))
 (define pipefs-service-type
  (shepherd-service-type
   'pipefs
   (lambda (config)
     (define pipefs-directory (pipefs-configuration-mount-point config))
     (shepherd-service
      (documentation "Mount the pipefs pseudo filesystem.")
      (provision '(rpc-pipefs))
      (start #~(lambda ()
                 (mkdir-p #$pipefs-directory)
                 (mount "rpc_pipefs" #$pipefs-directory "rpc_pipefs")
                 (member #$pipefs-directory (mount-points))))
      (stop #~(lambda (pid . args)
                (umount #$pipefs-directory MNT_DETACH)
                (not (member #$pipefs-directory (mount-points)))))))))
 (define-record-type* <gss-configuration>
  gss-configuration make-gss-configuration
  gss-configuration?
  (pipefs-directory            gss-configuration-pipefs-directory
                         (default default-pipefs-directory))
  (nfs-utils             gss-configuration-gss
                         (default nfs-utils)))
 (define gss-service-type
  (shepherd-service-type
   'gss
   (lambda (config)
     (define nfs-utils
       (gss-configuration-gss config))
     (define pipefs-directory
       (gss-configuration-pipefs-directory config))
     (define gss-command
       #~(list (string-append #$nfs-utils "/sbin/rpc.gssd") "-f"
               "-p" #$pipefs-directory))
     (shepherd-service
      (documentation "Start the RPC GSS daemon.")
      (requirement '(rpcbind-daemon rpc-pipefs))
      (provision '(gss-daemon))
      (start #~(make-forkexec-constructor #$gss-command))
      (stop #~(make-kill-destructor))))))
 (define-record-type* <idmap-configuration>
  idmap-configuration make-idmap-configuration
  idmap-configuration?
  (pipefs-directory            idmap-configuration-pipefs-directory
                         (default default-pipefs-directory))
  (domain                idmap-configuration-domain
                           (default #f))
  (nfs-utils             idmap-configuration-idmap
                         (default nfs-utils)))
 (define idmap-service-type
  (shepherd-service-type
   'idmap
   (lambda (config)
     (define nfs-utils
       (idmap-configuration-idmap config))
     (define pipefs-directory
       (idmap-configuration-pipefs-directory config))
     (define domain (idmap-configuration-domain config))
     (define (idmap-config-file config)
       (plain-file "idmapd.conf"
                   (string-append
                    "\n[General]\n"
                    (if domain
                        (format #f "Domain = ~a\n" domain))
                    "\n[Mapping]\n"
                    "Nobody-User = nobody\n"
                    "Nobody-Group = nogroup\n")))
     (define idmap-command
       #~(list (string-append #$nfs-utils "/sbin/rpc.idmapd") "-f"
               "-p" #$pipefs-directory
               "-c" #$(idmap-config-file config)))
     (shepherd-service
       (documentation "Start the RPC IDMAP daemon.")
       (requirement '(rpcbind-daemon rpc-pipefs))
       (provision '(idmap-daemon))
       (start #~(make-forkexec-constructor #$idmap-command))
       (stop #~(make-kill-destructor))))))