Merge branch 'master' into core-updates

build-aux/compile-all.scm

@@ -81,6 +81,9 @@
    (let ((files (filter file-needs-compilation? files)))
      (for-each load-module-file files)
      (let ((mutex (make-mutex)))
+       ;; Make sure compilation related modules are loaded before starting to
+       ;; compile files in parallel.
+       (compile #f)
        (par-for-each (lambda (file)
                        (compile-file* file mutex))
                      files)))))

doc/guix.texi

@@ -26,7 +26,8 @@ Copyright @copyright{} 2016 Ben Woodcroft@*
 Copyright @copyright{} 2016 Chris Marusich@*
 Copyright @copyright{} 2016 Efraim Flashner@*
 Copyright @copyright{} 2016 John Darrington@*
-Copyright @copyright{} 2016 ng0
+Copyright @copyright{} 2016 ng0@*
+Copyright @copyright{} 2016 Jan Nieuwenhuizen
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -213,6 +214,7 @@ Services
 
 * Base Services::               Essential system services.
 * Scheduled Job Execution::     The mcron service.
+* Log Rotation::                The rottlog service.
 * Networking Services::         Network setup, SSH daemon, etc.
 * X Window::                    Graphical display.
 * Desktop Services::            D-Bus and desktop services.
@@ -7581,6 +7583,7 @@ declaration.
 @menu
 * Base Services::               Essential system services.
 * Scheduled Job Execution::     The mcron service.
+* Log Rotation::                The rottlog service.
 * Networking Services::         Network setup, SSH daemon, etc.
 * X Window::                    Graphical display.
 * Desktop Services::            D-Bus and desktop services.
@@ -8055,6 +8058,85 @@ specifications,, mcron, GNU@tie{}mcron}).
 @end deftp
 
 
+@node Log Rotation
+@subsubsection Log Rotation
+
+@cindex rottlog
+@cindex log rotation
+Log files such as those found in @file{/var/log} tend to grow endlessly,
+so it's a good idea to @dfn{rotate} them once in a while---i.e., archive
+their contents in separate files, possibly compressed.  The @code{(gnu
+services admin)} module provides an interface to GNU@tie{}Rot[t]log, a
+log rotation tool (@pxref{Top,,, rottlog, GNU Rot[t]log Manual}).
+
+The example below defines an operating system that provides log rotation
+with the default settings.
+
+@lisp
+(use-modules (guix) (gnu))
+(use-service-modules admin mcron)
+(use-package-modules base idutils)
+
+(operating-system
+  ;; @dots{}
+  (services (cons* (mcron-service)
+                   (service rottlog-service-type (rottlog-configuration)) 
+                   %base-services)))
+@end lisp
+
+@defvr {Scheme Variable} rottlog-service-type
+This is the type of the Rottlog service, whose value is a
+@code{rottlog-configuration} object.
+
+This service type can define mcron jobs (@pxref{Scheduled Job
+Execution}) to run the rottlog service.
+@end defvr
+
+@deftp {Data Type} rottlog-configuration
+Data type representing the configuration of rottlog.
+
+@table @asis
+@item @code{rottlog} (default: @code{rottlog})
+The Rottlog package to use.
+
+@item @code{rc-file} (default: @code{(file-append rottlog "/etc/rc")})
+The Rottlog configuration file to use (@pxref{Mandatory RC Variables,,,
+rottlog, GNU Rot[t]log Manual}).
+
+@item @code{periodic-rotations} (default: @code{`(("weekly" %default-rotatations))})
+A list of Rottlog period-name/period-config tuples.
+
+For example, taking an example from the Rottlog manual (@pxref{Period
+Related File Examples,,, rottlog, GNU Rot[t]log Manual}), a valid tuple
+might be:
+
+@example
+("daily" ,(plain-file "daily"
+                      "\
+     /var/log/apache/* @{
+        storedir apache-archives
+        rotate 6
+        notifempty
+        nocompress
+     @}"))
+@end example
+
+@item @code{jobs}
+This is a list of gexps where each gexp corresponds to an mcron job
+specification (@pxref{Scheduled Job Execution}).
+@end table
+@end deftp
+
+@defvr {Scheme Variable} %default-rotations
+Specifies weekly rotation of @var{%rotated-files} and
+@code{"/var/log/shepherd.log"}.
+@end defvr
+
+@defvr {Scheme Variable} %rotated-files
+The list of syslog-controlled files to be rotated.  By default it is:
+@code{'("/var/log/messages" "/var/log/secure")}.
+@end defvr
+
 @node Networking Services
 @subsubsection Networking Services
 
@@ -8199,40 +8281,67 @@ root.
 The other options should be self-descriptive.
 @end deffn
 
-@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @
+@deffn {Scheme Variable} openssh-service-type
-       [#:port-number 22] [#:permit-root-login 'without-password] @
+This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
-       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
+shell daemon, @command{sshd}.  Its value must be an
-       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
+@code{openssh-configuration} record as in this example:
-       [#:x11-forwarding? #f] [#:protocol-number "2"]
-Run the @command{sshd} program from @var{openssh} on port
-@var{port-number}.  @command{sshd} runs an SSH daemon and writes its PID
-to @var{pid-file}.  It understands SSH protocol
-@var{protocol-number}. The @var{protocol-number} can be either 1 or 2.
 
-@var{permit-root-login} takes one of @code{#t}, @code{'without-password}
+@example
-and @code{#f}.  It is used to allow root login through SSH.
+(service openssh-service-type
-@code{'without-password} means that root login is allowed, but not with
+         (openssh-configuration
-password-based authentication.
+           (x11-forwarding? #t)
+           (permit-root-login 'without-password)))
+@end example
 
-When @var{allow-empty-passwords?} is true, users with empty passwords
+See below for details about @code{openssh-configuration}.
-may log in.  When false, they may not.
-
-When @var{password-authentication?} is true, users may log in with their
-password.  When false, they have to use other means of authentication.
-
-When @var{pubkey-authentication?} is true, users may log in using public
-key authentication.  When false, users have to use other means of
-authentication.  Authorized public keys are stored in
-@file{~/.ssh/authorized_keys}.  This is used only by protocol version 2.
-
-When @var{rsa-authentication?} is true, users may log in using pure RSA
-authentication.  When false, users have to use other means of
-authentication.  This is used only by protocol 1.
-
-When @var{x11-forwarding?} is true, @command{ssh} options @option{-X}
-and @option{-Y} will work.
 @end deffn
 
+@deftp {Data Type} openssh-configuration
+This is the configuration record for OpenSSH's @command{sshd}.
+
+@table @asis
+@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
+Name of the file where @command{sshd} writes its PID.
+
+@item @code{port-number} (default: @code{22})
+TCP port on which @command{sshd} listens for incoming connections.
+
+@item @code{permit-root-login} (default: @code{#f})
+This field determines whether and when to allow logins as root.  If
+@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
+If it's the symbol @code{'without-password}, then root logins are
+permitted but not with password-based authentication.
+
+@item @code{allow-empty-passwords?} (default: @code{#f})
+When true, users with empty passwords may log in.  When false, they may
+not.
+
+@item @code{password-authentication?} (default: @code{#t})
+When true, users may log in with their password.  When false, they have
+other authentication methods.
+
+@item @code{public-key-authentication?} (default: @code{#t})
+When true, users may log in using public key authentication.  When
+false, users have to use other authentication method.
+
+Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
+This is used only by protocol version 2.
+
+@item @code{rsa-authentication?} (default: @code{#t})
+When true, users may log in using pure RSA authentication.  When false,
+users have to use other means of authentication.  This is used only by
+protocol 1.
+
+@item @code{x11-forwarding?} (default: @code{#f})
+When true, forwarding of X11 graphical client connections is
+enabled---in other words, @command{ssh} options @option{-X} and
+@option{-Y} will work.
+
+@item @code{protocol-number} (default: @code{2})
+The SSH protocol number to use.
+@end table
+@end deftp
+
 @deffn {Scheme Procedure} dropbear-service [@var{config}]
 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
 daemon} with the given @var{config}, a @code{<dropbear-configuration>}

gnu/local.mk

@@ -386,6 +386,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/zip.scm				\
 						\
   %D%/services.scm				\
+  %D%/services/admin.scm			\
   %D%/services/avahi.scm			\
   %D%/services/base.scm				\
   %D%/services/databases.scm			\
@@ -430,7 +431,8 @@ GNU_SYSTEM_MODULES =				\
 						\
   %D%/tests.scm					\
   %D%/tests/base.scm				\
-  %D%/tests/install.scm
+  %D%/tests/install.scm				\
+  %D%/tests/ssh.scm
 
 
 patchdir = $(guilemoduledir)/%D%/packages/patches
@@ -528,6 +530,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
+  %D%/packages/patches/gd-CVE-2016-7568.patch			\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
@@ -620,6 +623,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-link-with-libm.patch		\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
+  %D%/packages/patches/libarchive-7zip-heap-overflow.patch	\
+  %D%/packages/patches/libarchive-fix-symlink-check.patch	\
+  %D%/packages/patches/libarchive-fix-filesystem-attacks.patch	\
+  %D%/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch	\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
   %D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
   %D%/packages/patches/libcmis-fix-test-onedrive.patch		\
@@ -781,6 +788,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-paste-remove-timing-test.patch	\
   %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
   %D%/packages/patches/qt4-ldflags.patch			\
+  %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
   %D%/packages/patches/rapicorn-isnan.patch			\
   %D%/packages/patches/ratpoison-shell.patch			\
   %D%/packages/patches/readline-link-ncurses.patch		\

gnu/packages/algebra.scm

@@ -593,14 +593,14 @@ cosine/ sine transforms or DCT/DST).")
 (define-public eigen
   (package
     (name "eigen")
-    (version "3.2.8")
+    (version "3.2.9")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://bitbucket.org/eigen/eigen/get/"
                                   version ".tar.bz2"))
               (sha256
                (base32
-                "0mby6my1djsg8681fcvlaq0i4kd17fja9qn5f713j3xpfbb66akj"))
+                "1zs5b210mq7nyanky07li6456rrd0xv2nxf6sl2lhkzdq5p067jd"))
               (file-name (string-append name "-" version ".tar.bz2"))
               (modules '((guix build utils)))
               (snippet

gnu/packages/audio.scm

@@ -877,7 +877,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
 (define-public guitarix
   (package
     (name "guitarix")
-    (version "0.35.0")
+    (version "0.35.1")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -885,7 +885,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
                    version ".tar.xz"))
              (sha256
               (base32
-               "10hijqrrl8xil46kgsac10ysfxysisxlibm2rz133zyig5n63jdw"))))
+               "066qva1zk63qw60s0vbi9g9jh22ljw67p91pk82kv11gw24h3vg6"))))
     (build-system waf-build-system)
     (arguments
      `(#:tests? #f ; no "check" target

gnu/packages/backup.scm

@@ -172,6 +172,7 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
+    (replacement libarchive/fixed)
     (version "3.2.1")
     (source
      (origin
@@ -227,6 +228,17 @@ archive.  In particular, note that there is currently no built-in support for
 random access nor for in-place modification.")
     (license license:bsd-2)))
 
+(define libarchive/fixed
+  (package
+    (inherit libarchive)
+    (source (origin
+              (inherit (package-source libarchive))
+              (patches (search-patches
+                         "libarchive-7zip-heap-overflow.patch"
+                         "libarchive-fix-symlink-check.patch"
+                         "libarchive-fix-filesystem-attacks.patch"
+                         "libarchive-safe_fprintf-buffer-overflow.patch"))))))
+
 (define-public rdup
   (package
     (name "rdup")

gnu/packages/bioinformatics.scm

@@ -5571,7 +5571,7 @@ track.  The database is exposed as a @code{TxDb} object.")
 (define-public vsearch
   (package
     (name "vsearch")
-    (version "2.1.1")
+    (version "2.1.2")
     (source
      (origin
        (method url-fetch)
@@ -5581,7 +5581,7 @@ track.  The database is exposed as a @code{TxDb} object.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0rn40inkpgv0j1r1j9kmgjkb7nc8v5c9ijvbhzr17iayannxvlq9"))
+         "1zzfj6ydsfzljyswlwqknpp8s2cf31vimi1aqf9ljsbagjyizc58"))
        (modules '((guix build utils)))
        (snippet
         '(begin

gnu/packages/databases.scm

@@ -779,7 +779,7 @@ columns, primary keys, unique constraints and relationships.")
 (define-public perl-dbd-mysql
   (package
     (name "perl-dbd-mysql")
-    (version "4.035")
+    (version "4.037")
     (source
      (origin
        (method url-fetch)
@@ -787,7 +787,7 @@ columns, primary keys, unique constraints and relationships.")
                            "DBD-mysql-" version ".tar.gz"))
        (sha256
         (base32
-         "0dqrnrk8yjl06xl8hld5wyalk77z0h9j5h1gdk4z9g0nx9js7v5p"))))
+         "1z1wxnzhxfr9awjqb1d8pz9hf50shbk9ip2jmsmgdlwfyb78lmyz"))))
     (build-system perl-build-system)
     ;; Tests require running MySQL server
     (arguments `(#:tests? #f))

gnu/packages/emacs.scm

@@ -12,7 +12,7 @@
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
 ;;; Copyright © 2016 Matthew Jordan <matthewjordandevops@yandex.com>
 ;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
-;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Copyright © 2016 ng0 <ngillmann@runbox.com>
 ;;; Copyright © 2016 Alex Griffin <a@ajgrf.com>
 ;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Alex Vong <alexvong1995@gmail.com>
@@ -2231,6 +2231,30 @@ perspective only its buffers are available by default.")
     ;; the Expat license.
     (license license:gpl3+)))
 
+(define-public emacs-rudel
+  (package
+    (name "emacs-rudel")
+    (version "0.3.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "http://elpa.gnu.org/packages/rudel-"
+                           version ".tar"))
+       (sha256
+        (base32
+         "0glqa68g509p0s2vcc0i8kzlddnc9brd9jqhnm5rzxz4i050cvnz"))))
+    (build-system emacs-build-system)
+    (home-page "http://rudel.sourceforge.net/")
+    (synopsis "Collaborative editing framework")
+    (description
+     "Rudel is a collaborative editing environment for GNU Emacs.  Its purpose
+is to share buffers with other users in order to edit the contents of those
+buffers collaboratively.  Rudel supports multiple backends to enable
+communication with other collaborative editors using different protocols,
+though currently Obby (for use with the Gobby editor) is the only
+fully-functional one.")
+    (license license:gpl3+)))
+
 (define-public emacs-hydra
   (package
     (name "emacs-hydra")

gnu/packages/fontutils.scm

@@ -426,9 +426,8 @@ resolution.")
     (version "0.9.13")
     (source (origin
               (method url-fetch)
-              (uri (string-append
+              (uri (string-append "mirror://savannah/m17n/libotf-"
-                    "mirror://savannah/releases/m17n/libotf-"
+                                  version ".tar.gz"))
-                    version ".tar.gz"))
               (sha256
                (base32 "0239zvfan56w7vrppriwy77fzb10ag9llaz15nsraps2a2x6di3v"))))
     (build-system gnu-build-system)

gnu/packages/gd.scm

@@ -50,7 +50,8 @@
              (sha256
               (base32
                "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))
-             (patches (search-patches "gd-fix-gd2-read-test.patch"
+             (patches (search-patches "gd-CVE-2016-7568.patch"
+                                      "gd-fix-gd2-read-test.patch"
                                       "gd-fix-tests-on-i686.patch"))))
     (build-system gnu-build-system)
     (native-inputs

gnu/packages/julia.scm

@@ -40,16 +40,17 @@
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages textutils)
+  #:use-module (gnu packages tls)
   #:use-module (gnu packages version-control)
   #:use-module (gnu packages wget)
   #:use-module (ice-9 match))
 
 (define libuv-julia
-  (let ((commit "efb40768b7c7bd9f173a7868f74b92b1c5a61a0e")
+  (let ((commit "8d5131b6c1595920dd30644cd1435b4f344b46c8")
-        (revision "3"))
+        (revision "4"))
     (package (inherit libuv)
       (name "libuv-julia")
-      (version (string-append "0.11.26." revision "-" (string-take commit 8)))
+      (version (string-append "1.9.0-" revision "." (string-take commit 8)))
       (source (origin
                 (method git-fetch)
                 (uri (git-reference
@@ -58,7 +59,7 @@
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
                  (base32
-                  "16k6pm2jl0ymz5j4ldxn94imdimahqqfd2izgr3zf1vwyyay77w3"))))
+                  "1fq0vhiprdryw8iisxxwyld3xdr5za6y8458p22ff56al98h22fv"))))
       (build-system gnu-build-system)
       (arguments
        (substitute-keyword-arguments (package-arguments libuv)
@@ -67,10 +68,22 @@
              (delete 'autogen)))))
       (home-page "https://github.com/JuliaLang/libuv"))))
 
+(define libunwind-for-julia
+  (package
+    (inherit libunwind)
+    (version "1.1-julia2")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "https://s3.amazonaws.com/julialang/src/"
+                                  "libunwind-" version ".tar.gz"))
+              (sha256
+               (base32
+                "0499x7sg2v18a6cry6l8y713cgmic0adnjph8i0xr1db9p7n8qyv"))))))
+
 (define-public julia
   (package
     (name "julia")
-    (version "0.4.5")
+    (version "0.5.0")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -78,7 +91,7 @@
                     version "/julia-" version ".tar.gz"))
               (sha256
                (base32
-                "09gc6yf3v4in0qwhrbgjrjgvblp941di0mli4zax22mvf4dzc7s4"))))
+                "0bhickil88lalp9jdj1kmf4is70zinhx8ha9rng0g3z50r4a2qmv"))))
     (build-system gnu-build-system)
     (arguments
      `(#:test-target "test"
@@ -86,6 +99,9 @@
                   (guix build gnu-build-system)
                   (guix build utils))
 
+       ;; Do not strip binaries to keep support for full backtraces.
+       ;; See https://github.com/JuliaLang/julia/issues/17831
+       #:strip-binaries? #f
 
        ;; The DSOs use $ORIGIN to refer to each other, but (guix build
        ;; gremlin) doesn't support it yet, so skip this phase.
@@ -96,24 +112,33 @@
          (delete 'configure)
          (add-after 'unpack 'prepare-deps
            (lambda* (#:key inputs #:allow-other-keys)
-             (copy-file (assoc-ref inputs "rmath-julia")
+             (mkdir "deps/srccache")
-                        "deps/Rmath-julia-0.1.tar.gz")
              (copy-file (assoc-ref inputs "dsfmt")
-                        "deps/dsfmt-2.2.3.tar.gz")
+                        "deps/srccache/dsfmt-2.2.3.tar.gz")
              (copy-file (assoc-ref inputs "objconv")
-                        "deps/objconv.zip")
+                        "deps/srccache/objconv.zip")
              (copy-file (assoc-ref inputs "suitesparse")
-                        "deps/SuiteSparse-4.4.2.tar.gz")
+                        "deps/srccache/SuiteSparse-4.4.5.tar.gz")
-             (copy-file (assoc-ref inputs "virtualenv")
+             (copy-file (string-append (assoc-ref inputs "virtualenv")
-                        "deps/virtualenv-1.11.6.tar.gz")
+                                       "/bin/virtualenv")
+                        "julia-env")
              #t))
+         (add-after 'unpack 'fix-llvm-flag
+           (lambda _
+             (substitute* "src/Makefile"
+               (("-lLLVM-\\$\\(shell \\$\\(LLVM_CONFIG_HOST\\) --version\\)")
+                "$(shell $(LLVM_CONFIG_HOST) --libs)"))
+             #t))
+         (add-before 'check 'set-home
+           ;; Some tests require a home directory to be set.
+           (lambda _ (setenv "HOME" "/tmp") #t))
          (add-after 'unpack 'hardcode-soname-map
-          ;; ./src/ccall.cpp creates a map from library names to paths using the
+          ;; ./src/runtime_ccall.cpp creates a map from library names to paths
-          ;; output of "/sbin/ldconfig -p".  Since ldconfig is not used in Guix,
+          ;; using the output of "/sbin/ldconfig -p".  Since ldconfig is not
-          ;; we patch ccall.cpp to contain a static map.
+          ;; used in Guix, we patch runtime_ccall.cpp to contain a static map.
           (lambda* (#:key inputs #:allow-other-keys)
             (use-modules (ice-9 match))
-            (substitute* "src/ccall.cpp"
+            (substitute* "src/runtime_ccall.cpp"
               (("jl_read_sonames.*;")
                (string-join
                 (map (match-lambda
@@ -133,6 +158,31 @@
                        ("openspecfun" "libopenspecfun" "libopenspecfun.so")
                        ("fftw"        "libfftw3"       "libfftw3.so")
                        ("fftwf"       "libfftw3f"      "libfftw3f.so"))))))
+            (substitute* "base/fft/FFTW.jl"
+              (("const libfftw = Base.libfftw_name")
+               (string-append "const libfftw = \""
+                              (assoc-ref inputs "fftw") "/lib/libfftw3.so"
+                              "\""))
+              (("const libfftwf = Base.libfftwf_name")
+               (string-append "const libfftwf = \""
+                              (assoc-ref inputs "fftwf") "/lib/libfftw3f.so"
+                              "\"")))
+            (substitute* "base/math.jl"
+              (("const libm = Base.libm_name")
+               (string-append "const libm = \""
+                              (assoc-ref inputs "openlibm")
+                              "/lib/libopenlibm.so"
+                              "\""))
+              (("const openspecfun = \"libopenspecfun\"")
+               (string-append "const openspecfun = \""
+                              (assoc-ref inputs "openspecfun")
+                              "/lib/libopenspecfun.so"
+                              "\"")))
+            (substitute* "base/pcre.jl"
+              (("const PCRE_LIB = \"libpcre2-8\"")
+               (string-append "const PCRE_LIB = \""
+                              (assoc-ref inputs "pcre2")
+                              "/lib/libpcre2-8.so" "\"")))
             #t))
          (add-before 'build 'fix-include-and-link-paths
           (lambda* (#:key inputs #:allow-other-keys)
@@ -153,10 +203,6 @@
                               (assoc-ref %build-inputs "libuv")
                               "/lib/libuv.so ")))
 
-            (substitute* "deps/Makefile"
-              (("/usr/include/double-conversion")
-               (string-append (assoc-ref %build-inputs "double-conversion")
-                              "/include/double-conversion")))
             (substitute* "base/Makefile"
               (("\\$\\(build_includedir\\)/uv-errno.h")
                (string-append (assoc-ref inputs "libuv")
@@ -176,15 +222,13 @@
          (add-before 'check 'disable-broken-tests
            (lambda _
              (substitute* "test/choosetests.jl"
-               ;; These tests time out.  See
+               ;; These tests fail, probably because some of the input
-               ;; https://github.com/JuliaLang/julia/issues/14374 for ongoing
+               ;; binaries have been stripped and thus backtraces don't look
-               ;; discussion.
+               ;; as expected.
-               (("\"replcompletions\",") "")
+               (("\"backtrace\",") "")
-               (("\"repl\",") ""))
+               (("\"compile\",") "")
-             (substitute* "test/repl.jl"
+               (("\"replutil\",") "")
-               ;; This test fails because we cannot escape the build
+               (("\"cmdlineargs\",") ""))
-               ;; directory.
-               (("@test pwd\\(\\) == homedir\\(\\)") "#"))
              #t)))
        #:make-flags
        (list
@@ -203,9 +247,6 @@
         "CONFIG_SHELL=bash"     ;needed to build bundled libraries
         "USE_SYSTEM_DSFMT=0"    ;not packaged for Guix and upstream has no
                                 ;build system for a shared library.
-        "USE_SYSTEM_RMATH=0"    ;Julia uses a bundled version of R's math
-                                ;library, patched to use the DSFMT RNG.
-
         "USE_SYSTEM_LAPACK=1"
         "USE_SYSTEM_BLAS=1"
         "USE_BLAS64=0"          ;needed when USE_SYSTEM_BLAS=1
@@ -222,7 +263,6 @@
         ;;                "/include")
 
         "USE_GPL_LIBS=1"        ;proudly
-        "USE_SYSTEM_GRISU=1"    ;for double-conversion
         "USE_SYSTEM_UTF8PROC=1"
         (string-append "UTF8PROC_INC="
                        (assoc-ref %build-inputs "utf8proc")
@@ -245,15 +285,14 @@
         "USE_SYSTEM_LIBGIT2=1"
         "USE_SYSTEM_OPENSPECFUN=1")))
     (inputs
-     `(("llvm" ,llvm-3.5)
+     `(("llvm" ,llvm)
        ("arpack-ng" ,arpack-ng)
        ("coreutils" ,coreutils) ;for bindings to "mkdir" and the like
        ("lapack" ,lapack)
        ("openblas" ,openblas) ;Julia does not build with Atlas
-       ("libunwind" ,libunwind)
+       ("libunwind" ,libunwind-for-julia)
        ("openlibm" ,openlibm)
        ("openspecfun" ,openspecfun)
-       ("double-conversion" ,double-conversion)
        ("libgit2" ,libgit2)
        ("fftw" ,fftw)
        ("fftwf" ,fftwf)
@@ -266,24 +305,19 @@
        ("which" ,which)
        ("zlib" ,zlib)
        ("gmp" ,gmp)
+       ("virtualenv" ,python2-virtualenv)
        ;; FIXME: The following inputs are downloaded from upstream to allow us
        ;; to use the lightweight Julia release tarball.  Ideally, these inputs
        ;; would eventually be replaced with proper Guix packages.
-       ("rmath-julia"
+
-        ,(origin
+       ;; TODO: run "make -f contrib/repackage_system_suitesparse4.make" to copy static lib
-           (method url-fetch)
-           (uri "https://api.github.com/repos/JuliaLang/Rmath-julia/tarball/v0.1")
-           (file-name "rmath-julia-0.1.tar.gz")
-           (sha256
-            (base32
-             "0ai5dhjc43zcvangz123ryxmlbm51s21rg13bllwyn98w67arhb4"))))
        ("suitesparse"
         ,(origin
            (method url-fetch)
-           (uri "http://faculty.cse.tamu.edu/davis/SuiteSparse/SuiteSparse-4.4.2.tar.gz")
+           (uri "http://faculty.cse.tamu.edu/davis/SuiteSparse/SuiteSparse-4.4.5.tar.gz")
            (sha256
             (base32
-             "1dg0qsv07n71nbn9cgcvn73933rgy1jnxw5bfqkwfq3bidk44cqc"))))
+             "1jcbxb8jx5wlcixzf6n5dca2rcfx6mlcms1k2rl5gp67ay3bix43"))))
        ("objconv"
         ,(origin
            (method url-fetch)
@@ -299,18 +333,10 @@
                  "SFMT/dSFMT-src-2.2.3.tar.gz"))
            (sha256
             (base32
-             "03kaqbjbi6viz0n33dk5jlf6ayxqlsq4804n7kwkndiga9s4hd42"))))
+             "03kaqbjbi6viz0n33dk5jlf6ayxqlsq4804n7kwkndiga9s4hd42"))))))
-       ("virtualenv"
-        ,(origin
-           (method url-fetch)
-           (uri (string-append "https://pypi.python.org/packages/24/cc/"
-                               "a3cdf0a49ffcaef483b7e2511476aa520cf7260c199a6928fda6c43ba916/"
-                               "virtualenv-1.11.6.tar.gz"))
-           (sha256
-            (base32
-             "1xq4prmg25n9cz5zcvbqx68lmc3kl39by582vd8pzs9f3qalqyiy"))))))
     (native-inputs
-     `(("perl" ,perl)
+     `(("openssl" ,openssl)
+       ("perl" ,perl)
        ("patchelf" ,patchelf)
        ("pkg-config" ,pkg-config)
        ("python" ,python-2)))

gnu/packages/libreoffice.scm

@@ -710,7 +710,7 @@ and to return information on pronunciations, meanings and synonyms.")
 (define-public libreoffice
   (package
     (name "libreoffice")
-    (version "5.1.4.2")
+    (version "5.1.5.2")
     (source
      (origin
       (method url-fetch)
@@ -719,7 +719,7 @@ and to return information on pronunciations, meanings and synonyms.")
           "http://download.documentfoundation.org/libreoffice/src/"
           (version-prefix version 3) "/libreoffice-" version ".tar.xz"))
       (sha256 (base32
-               "11c30y9gvsy5h3nh9pnciq57gi99plrmr6qp8hhdk2l5xmwlmrfa"))))
+               "1qg0dj0zwh5ifhmvv4k771nmyqddz4ifn75s9mr1p0nyix8zks8x"))))
     (build-system gnu-build-system)
     (native-inputs
      `(;; autoreconf is run by the LibreOffice build system, since after

gnu/packages/linux.scm

@@ -321,14 +321,14 @@ It has been modified to remove all non-free binary blobs.")
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 
 (define-public linux-libre
-  (make-linux-libre "4.7.5"
+  (make-linux-libre "4.7.6"
-                    "1v5xzagc7zmf0dszq623h83rzhn2qwcapg2fwlihrrb6h9317xqx"
+                    "0716lpzq3w2pdc0nrrx06gqzdfzhkrjq7g37v4ws9wjlzak8hkvy"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.22"
+  (make-linux-libre "4.4.23"
-                    "0pwqp5hain26p3wmiqgq3qasyp4j7nl2ai49sq2n8xdi3g2vnmii"
+                    "07akixpxlcrpfsadnppyk2hbggqf7j2hzlkg56k0yh3dhyglxv86"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
@@ -339,8 +339,8 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 ;; Avoid rebuilding kernel variants when there is a minor version bump.
-(define %linux-libre-version "4.7.5")
+(define %linux-libre-version "4.7.6")
-(define %linux-libre-hash "1v5xzagc7zmf0dszq623h83rzhn2qwcapg2fwlihrrb6h9317xqx")
+(define %linux-libre-hash "0716lpzq3w2pdc0nrrx06gqzdfzhkrjq7g37v4ws9wjlzak8hkvy")
 
 (define-public linux-libre-arm-generic
   (make-linux-libre %linux-libre-version

gnu/packages/password-utils.scm

@@ -109,6 +109,17 @@ algorithms AES or Twofish.")
                (base32
                 "1y43yhgy2zbrk5bqj3qyx9rkcz2bma9sinlrg7dip3jqms9gq4lr"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:phases
+       (modify-phases %standard-phases
+         (add-after 'install 'wrap-shroud
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((out       (assoc-ref outputs "out"))
+                    (ccachedir (string-append out "/lib/guile/2.0/ccache"))
+                    (prog      (string-append out "/bin/shroud")))
+               (wrap-program prog
+                 `("GUILE_LOAD_COMPILED_PATH" ":" prefix (,ccachedir)))
+               #t))))))
     (inputs
      `(("guile" ,guile-2.0)
        ("gnupg" ,gnupg)

gnu/packages/patches/gd-CVE-2016-7568.patch

@@ -0,0 +1,44 @@
+Fix CVE-2016-7568 (integer overflow in gdImageWebpCtx()):
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568
+
+Patch copied from upstream source repository:
+
+https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f
+
+From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
+From: trylab <trylab@users.noreply.github.com>
+Date: Tue, 6 Sep 2016 18:35:32 +0800
+Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
+
+Integer overflow can be happened in expression gdImageSX(im) * 4 *
+gdImageSY(im). It could lead to heap buffer overflow in the following
+code. This issue has been reported to the PHP Bug Tracking System. The
+proof-of-concept file will be supplied some days later. This issue was
+discovered by Ke Liu of Tencent's Xuanwu LAB.
+---
+ src/gd_webp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index 8eb4dee..9886399 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ 		quality = 80;
+ 	}
+ 
++	if (overflow2(gdImageSX(im), 4)) {
++		return;
++	}
++
++	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
++		return;
++	}
++
+ 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
+ 	if (!argb) {
+ 		return;
+-- 
+2.10.0
+

gnu/packages/patches/libarchive-7zip-heap-overflow.patch

@@ -0,0 +1,77 @@
+Fix buffer overflow reading 7Zip files:
+
+https://github.com/libarchive/libarchive/issues/761
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
+
+From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 18 Sep 2016 18:14:58 -0700
+Subject: [PATCH] Issue 761:  Heap overflow reading corrupted 7Zip files
+
+The sample file that demonstrated this had multiple 'EmptyStream'
+attributes.  The first one ended up being used to calculate
+certain statistics, then was overwritten by the second which
+was incompatible with those statistics.
+
+The fix here is to reject any header with multiple EmptyStream
+attributes.  While here, also reject headers with multiple
+EmptyFile, AntiFile, Name, or Attributes markers.
+---
+ libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index 1dfe52b..c0a536c 100644
+--- a/libarchive/archive_read_support_format_7zip.c
++++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 
+ 		switch (type) {
+ 		case kEmptyStream:
++			if (h->emptyStreamBools != NULL)
++				return (-1);
+ 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
+ 			    sizeof(*h->emptyStreamBools));
+ 			if (h->emptyStreamBools == NULL)
+@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 					return (-1);
+ 				break;
+ 			}
++			if (h->emptyFileBools != NULL)
++				return (-1);
+ 			h->emptyFileBools = calloc(empty_streams,
+ 			    sizeof(*h->emptyFileBools));
+ 			if (h->emptyFileBools == NULL)
+@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 					return (-1);
+ 				break;
+ 			}
++			if (h->antiBools != NULL)
++				return (-1);
+ 			h->antiBools = calloc(empty_streams,
+ 			    sizeof(*h->antiBools));
+ 			if (h->antiBools == NULL)
+@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 			if ((ll & 1) || ll < zip->numFiles * 4)
+ 				return (-1);
+ 
++			if (zip->entry_names != NULL)
++				return (-1);
+ 			zip->entry_names = malloc(ll);
+ 			if (zip->entry_names == NULL)
+ 				return (-1);
+@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
+ 			if ((p = header_bytes(a, 2)) == NULL)
+ 				return (-1);
+ 			allAreDefined = *p;
++			if (h->attrBools != NULL)
++				return (-1);
+ 			h->attrBools = calloc((size_t)zip->numFiles,
+ 			    sizeof(*h->attrBools));
+ 			if (h->attrBools == NULL)
+-- 
+2.10.0
+

gnu/packages/patches/libarchive-fix-filesystem-attacks.patch

@@ -0,0 +1,445 @@
+This patch fixes two bugs that allow attackers to overwrite or change
+the permissions of arbitrary files:
+
+https://github.com/libarchive/libarchive/issues/745
+https://github.com/libarchive/libarchive/issues/746
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
+
+From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 11 Sep 2016 13:21:57 -0700
+Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert.
+
+---
+ libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++--------
+ 1 file changed, 227 insertions(+), 67 deletions(-)
+
+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
+index 8f0421e..abe1a86 100644
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -326,12 +326,14 @@ struct archive_write_disk {
+ 
+ #define HFS_BLOCKS(s)	((s) >> 12)
+ 
++static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
+ static int	check_symlinks(struct archive_write_disk *);
+ static int	create_filesystem_object(struct archive_write_disk *);
+ static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
+ #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
+ static void	edit_deep_directories(struct archive_write_disk *ad);
+ #endif
++static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
+ static int	cleanup_pathname(struct archive_write_disk *);
+ static int	create_dir(struct archive_write_disk *, char *);
+ static int	create_parent_dir(struct archive_write_disk *, char *);
+@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a)
+ 	const char *linkname;
+ 	mode_t final_mode, mode;
+ 	int r;
++	/* these for check_symlinks_fsobj */
++	char *linkname_copy;	/* non-const copy of linkname */
++	struct archive_string error_string;
++	int error_number;
+ 
+ 	/* We identify hard/symlinks according to the link names. */
+ 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
+@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a)
+ #if !HAVE_LINK
+ 		return (EPERM);
+ #else
++		archive_string_init(&error_string);
++		linkname_copy = strdup(linkname);
++		if (linkname_copy == NULL) {
++		    return (EPERM);
++		}
++		/* TODO: consider using the cleaned-up path as the link target? */
++		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
++		if (r != ARCHIVE_OK) {
++			archive_set_error(&a->archive, error_number, "%s", error_string.s);
++			free(linkname_copy);
++			/* EPERM is more appropriate than error_number for our callers */
++			return (EPERM);
++		}
++		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
++		if (r != ARCHIVE_OK) {
++			archive_set_error(&a->archive, error_number, "%s", error_string.s);
++			free(linkname_copy);
++			/* EPERM is more appropriate than error_number for our callers */
++			return (EPERM);
++		}
++		free(linkname_copy);
+ 		r = link(linkname, a->name) ? errno : 0;
+ 		/*
+ 		 * New cpio and pax formats allow hardlink entries
+@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname)
+  * recent paths.
+  */
+ /* TODO: Extend this to support symlinks on Windows Vista and later. */
++
++/*
++ * Checks the given path to see if any elements along it are symlinks.  Returns
++ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg.
++ */
+ static int
+-check_symlinks(struct archive_write_disk *a)
++check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
+ {
+ #if !defined(HAVE_LSTAT)
+ 	/* Platform doesn't have lstat, so we can't look for symlinks. */
+ 	(void)a; /* UNUSED */
++	(void)path; /* UNUSED */
++	(void)error_number; /* UNUSED */
++	(void)error_string; /* UNUSED */
++	(void)flags; /* UNUSED */
+ 	return (ARCHIVE_OK);
+ #else
+-	char *pn;
++	int res = ARCHIVE_OK;
++	char *tail;
++	char *head;
++	int last;
+ 	char c;
+ 	int r;
+ 	struct stat st;
++	int restore_pwd;
++
++	/* Nothing to do here if name is empty */
++	if(path[0] == '\0')
++	    return (ARCHIVE_OK);
+ 
+ 	/*
+ 	 * Guard against symlink tricks.  Reject any archive entry whose
+ 	 * destination would be altered by a symlink.
++	 *
++	 * Walk the filename in chunks separated by '/'.  For each segment:
++	 *  - if it doesn't exist, continue
++	 *  - if it's symlink, abort or remove it
++	 *  - if it's a directory and it's not the last chunk, cd into it
++	 * As we go:
++	 *  head points to the current (relative) path
++	 *  tail points to the temporary \0 terminating the segment we're currently examining
++	 *  c holds what used to be in *tail
++	 *  last is 1 if this is the last tail
+ 	 */
+-	/* Whatever we checked last time doesn't need to be re-checked. */
+-	pn = a->name;
+-	if (archive_strlen(&(a->path_safe)) > 0) {
+-		char *p = a->path_safe.s;
+-		while ((*pn != '\0') && (*p == *pn))
+-			++p, ++pn;
+-	}
++	restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC);
++	__archive_ensure_cloexec_flag(restore_pwd);
++	if (restore_pwd < 0)
++		return (ARCHIVE_FATAL);
++	head = path;
++	tail = path;
++	last = 0;
++	/* TODO: reintroduce a safe cache here? */
+ 	/* Skip the root directory if the path is absolute. */
+-	if(pn == a->name && pn[0] == '/')
+-		++pn;
+-	c = pn[0];
+-	/* Keep going until we've checked the entire name. */
+-	while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) {
++	if(tail == path && tail[0] == '/')
++		++tail;
++	/* Keep going until we've checked the entire name.
++	 * head, tail, path all alias the same string, which is
++	 * temporarily zeroed at tail, so be careful restoring the
++	 * stashed (c=tail[0]) for error messages.
++	 * Exiting the loop with break is okay; continue is not.
++	 */
++	while (!last) {
++		/* Skip the separator we just consumed, plus any adjacent ones */
++		while (*tail == '/')
++		    ++tail;
+ 		/* Skip the next path element. */
+-		while (*pn != '\0' && *pn != '/')
+-			++pn;
+-		c = pn[0];
+-		pn[0] = '\0';
++		while (*tail != '\0' && *tail != '/')
++			++tail;
++		/* is this the last path component? */
++		last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0');
++		/* temporarily truncate the string here */
++		c = tail[0];
++		tail[0] = '\0';
+ 		/* Check that we haven't hit a symlink. */
+-		r = lstat(a->name, &st);
++		r = lstat(head, &st);
+ 		if (r != 0) {
++			tail[0] = c;
+ 			/* We've hit a dir that doesn't exist; stop now. */
+ 			if (errno == ENOENT) {
+ 				break;
+ 			} else {
+-				/* Note: This effectively disables deep directory
++				/* Treat any other error as fatal - best to be paranoid here
++				 * Note: This effectively disables deep directory
+ 				 * support when security checks are enabled.
+ 				 * Otherwise, very long pathnames that trigger
+ 				 * an error here could evade the sandbox.
+ 				 * TODO: We could do better, but it would probably
+ 				 * require merging the symlink checks with the
+ 				 * deep-directory editing. */
+-				return (ARCHIVE_FAILED);
++				if (error_number) *error_number = errno;
++				if (error_string)
++					archive_string_sprintf(error_string,
++							"Could not stat %s",
++							path);
++				res = ARCHIVE_FAILED;
++				break;
++			}
++		} else if (S_ISDIR(st.st_mode)) {
++			if (!last) {
++				if (chdir(head) != 0) {
++					tail[0] = c;
++					if (error_number) *error_number = errno;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Could not chdir %s",
++								path);
++					res = (ARCHIVE_FATAL);
++					break;
++				}
++				/* Our view is now from inside this dir: */
++				head = tail + 1;
+ 			}
+ 		} else if (S_ISLNK(st.st_mode)) {
+-			if (c == '\0') {
++			if (last) {
+ 				/*
+ 				 * Last element is symlink; remove it
+ 				 * so we can overwrite it with the
+ 				 * item being extracted.
+ 				 */
+-				if (unlink(a->name)) {
+-					archive_set_error(&a->archive, errno,
+-					    "Could not remove symlink %s",
+-					    a->name);
+-					pn[0] = c;
+-					return (ARCHIVE_FAILED);
++				if (unlink(head)) {
++					tail[0] = c;
++					if (error_number) *error_number = errno;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Could not remove symlink %s",
++								path);
++					res = ARCHIVE_FAILED;
++					break;
+ 				}
+-				a->pst = NULL;
+ 				/*
+ 				 * Even if we did remove it, a warning
+ 				 * is in order.  The warning is silly,
+ 				 * though, if we're just replacing one
+ 				 * symlink with another symlink.
+ 				 */
+-				if (!S_ISLNK(a->mode)) {
+-					archive_set_error(&a->archive, 0,
+-					    "Removing symlink %s",
+-					    a->name);
++				tail[0] = c;
++				/* FIXME:  not sure how important this is to restore
++				if (!S_ISLNK(path)) {
++					if (error_number) *error_number = 0;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Removing symlink %s",
++								path);
+ 				}
++				*/
+ 				/* Symlink gone.  No more problem! */
+-				pn[0] = c;
+-				return (0);
+-			} else if (a->flags & ARCHIVE_EXTRACT_UNLINK) {
++				res = ARCHIVE_OK;
++				break;
++			} else if (flags & ARCHIVE_EXTRACT_UNLINK) {
+ 				/* User asked us to remove problems. */
+-				if (unlink(a->name) != 0) {
+-					archive_set_error(&a->archive, 0,
+-					    "Cannot remove intervening symlink %s",
+-					    a->name);
+-					pn[0] = c;
+-					return (ARCHIVE_FAILED);
++				if (unlink(head) != 0) {
++					tail[0] = c;
++					if (error_number) *error_number = 0;
++					if (error_string)
++						archive_string_sprintf(error_string,
++								"Cannot remove intervening symlink %s",
++								path);
++					res = ARCHIVE_FAILED;
++					break;
+ 				}
+-				a->pst = NULL;
++				tail[0] = c;
+ 			} else {
+-				archive_set_error(&a->archive, 0,
+-				    "Cannot extract through symlink %s",
+-				    a->name);
+-				pn[0] = c;
+-				return (ARCHIVE_FAILED);
++				tail[0] = c;
++				if (error_number) *error_number = 0;
++				if (error_string)
++					archive_string_sprintf(error_string,
++							"Cannot extract through symlink %s",
++							path);
++				res = ARCHIVE_FAILED;
++				break;
+ 			}
+ 		}
+-		pn[0] = c;
+-		if (pn[0] != '\0')
+-			pn++; /* Advance to the next segment. */
++		/* be sure to always maintain this */
++		tail[0] = c;
++		if (tail[0] != '\0')
++			tail++; /* Advance to the next segment. */
+ 	}
+-	pn[0] = c;
+-	/* We've checked and/or cleaned the whole path, so remember it. */
+-	archive_strcpy(&a->path_safe, a->name);
+-	return (ARCHIVE_OK);
++	/* Catches loop exits via break */
++	tail[0] = c;
++#ifdef HAVE_FCHDIR
++	/* If we changed directory above, restore it here. */
++	if (restore_pwd >= 0) {
++		r = fchdir(restore_pwd);
++		if (r != 0) {
++			if(error_number) *error_number = errno;
++			if(error_string)
++				archive_string_sprintf(error_string,
++						"chdir() failure");
++		}
++		close(restore_pwd);
++		restore_pwd = -1;
++		if (r != 0) {
++			res = (ARCHIVE_FATAL);
++		}
++	}
++#endif
++	/* TODO: reintroduce a safe cache here? */
++	return res;
+ #endif
+ }
+ 
++/*
++ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise
++ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED}
++ */
++static int
++check_symlinks(struct archive_write_disk *a)
++{
++	struct archive_string error_string;
++	int error_number;
++	int rc;
++	archive_string_init(&error_string);
++	rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags);
++	if (rc != ARCHIVE_OK) {
++		archive_set_error(&a->archive, error_number, "%s", error_string.s);
++	}
++	archive_string_free(&error_string);
++	a->pst = NULL;	/* to be safe */
++	return rc;
++}
++
++
+ #if defined(__CYGWIN__)
+ /*
+  * 1. Convert a path separator from '\' to '/' .
+@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a)
+  * is set) if the path is absolute.
+  */
+ static int
+-cleanup_pathname(struct archive_write_disk *a)
++cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
+ {
+ 	char *dest, *src;
+ 	char separator = '\0';
+ 
+-	dest = src = a->name;
++	dest = src = path;
+ 	if (*src == '\0') {
+-		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+-		    "Invalid empty pathname");
++		if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
++		if (error_string)
++		    archive_string_sprintf(error_string,
++			    "Invalid empty pathname");
+ 		return (ARCHIVE_FAILED);
+ 	}
+ 
+@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a)
+ #endif
+ 	/* Skip leading '/'. */
+ 	if (*src == '/') {
+-		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
+-			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
+-			                  "Path is absolute");
++		if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
++			if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
++			if (error_string)
++			    archive_string_sprintf(error_string,
++				    "Path is absolute");
+ 			return (ARCHIVE_FAILED);
+ 		}
+ 
+@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a)
+ 			} else if (src[1] == '.') {
+ 				if (src[2] == '/' || src[2] == '\0') {
+ 					/* Conditionally warn about '..' */
+-					if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
+-						archive_set_error(&a->archive,
+-						    ARCHIVE_ERRNO_MISC,
+-						    "Path contains '..'");
++					if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
++						if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
++						if (error_string)
++						    archive_string_sprintf(error_string,
++							    "Path contains '..'");
+ 						return (ARCHIVE_FAILED);
+ 					}
+ 				}
+@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a)
+ 	 * We've just copied zero or more path elements, not including the
+ 	 * final '/'.
+ 	 */
+-	if (dest == a->name) {
++	if (dest == path) {
+ 		/*
+ 		 * Nothing got copied.  The path must have been something
+ 		 * like '.' or '/' or './' or '/././././/./'.
+@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a)
+ 	return (ARCHIVE_OK);
+ }
+ 
++static int
++cleanup_pathname(struct archive_write_disk *a)
++{
++	struct archive_string error_string;
++	int error_number;
++	int rc;
++	archive_string_init(&error_string);
++	rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags);
++	if (rc != ARCHIVE_OK) {
++		archive_set_error(&a->archive, error_number, "%s", error_string.s);
++	}
++	archive_string_free(&error_string);
++	return rc;
++}
++
+ /*
+  * Create the parent directory of the specified path, assuming path
+  * is already in mutable storage.

gnu/packages/patches/libarchive-fix-symlink-check.patch

@@ -0,0 +1,60 @@
+Make sure to check for symlinks even if the pathname is very long:
+
+https://github.com/libarchive/libarchive/issues/744
+
+Patch copied from upstream repository:
+
+https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
+
+From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 21 Aug 2016 17:11:45 -0700
+Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
+ long pathnames
+
+Because check_symlinks is handled separately from the deep-directory
+support, very long pathnames cause problems.  Previously, the code
+ignored most failures to lstat() a path component.  In particular,
+this led to check_symlinks always passing for very long paths, which
+in turn provides a way to evade the symlink checks in the sandboxing
+code.
+
+We now fail on unrecognized lstat() failures, which plugs this
+hole at the cost of disabling deep directory support when the
+user requests sandboxing.
+
+TODO:  This probably cannot be completely fixed without
+entirely reimplementing the deep directory support to
+integrate the symlink checks.  I want to reimplement the
+deep directory hanlding someday anyway; openat() and
+related system calls now provide a much cleaner way to
+handle deep directories than the chdir approach used by this
+code.
+---
+ libarchive/archive_write_disk_posix.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
+index 39ee3b6..8f0421e 100644
+--- a/libarchive/archive_write_disk_posix.c
++++ b/libarchive/archive_write_disk_posix.c
+@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
+ 		r = lstat(a->name, &st);
+ 		if (r != 0) {
+ 			/* We've hit a dir that doesn't exist; stop now. */
+-			if (errno == ENOENT)
++			if (errno == ENOENT) {
+ 				break;
++			} else {
++				/* Note: This effectively disables deep directory
++				 * support when security checks are enabled.
++				 * Otherwise, very long pathnames that trigger
++				 * an error here could evade the sandbox.
++				 * TODO: We could do better, but it would probably
++				 * require merging the symlink checks with the
++				 * deep-directory editing. */
++				return (ARCHIVE_FAILED);
++			}
+ 		} else if (S_ISLNK(st.st_mode)) {
+ 			if (c == '\0') {
+ 				/*

gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch

@@ -0,0 +1,44 @@
+Fixes this buffer overflow:
+https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
+
+Patch copied from upstream source repository:
+https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
+
+From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 21 Aug 2016 10:51:43 -0700
+Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
+
+The safe_fprintf function attempts to ensure clean output for an
+arbitrary sequence of bytes by doing a trial conversion of the
+multibyte characters to wide characters -- if the resulting wide
+character is printable then we pass through the corresponding bytes
+unaltered, otherwise, we convert them to C-style ASCII escapes.
+
+The stack trace in Issue #767 suggest that the 20-byte buffer
+was getting overflowed trying to format a non-printable multibyte
+character.  This should only happen if there is a valid multibyte
+character of more than 5 bytes that was unprintable.  (Each byte
+would get expanded to a four-charcter octal-style escape of the form
+"\123" resulting in >20 characters for the >5 byte multibyte character.)
+
+I've not been able to reproduce this, but have expanded the conversion
+buffer to 128 bytes on the belief that no multibyte character set
+has a single character of more than 32 bytes.
+---
+ tar/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tar/util.c b/tar/util.c
+index 9ff22f2..2b4aebe 100644
+--- a/tar/util.c
++++ b/tar/util.c
+@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
+ 		}
+ 
+ 		/* If our output buffer is full, dump it and keep going. */
+-		if (i > (sizeof(outbuff) - 20)) {
++		if (i > (sizeof(outbuff) - 128)) {
+ 			outbuff[i] = '\0';
+ 			fprintf(f, "%s", outbuff);
+ 			i = 0;

gnu/packages/patches/quickswitch-fix-dmenu-check.patch

@@ -0,0 +1,32 @@
+Fix check for dmenu (open file mode, dependency on which).
+
+See <https://github.com/proxypoke/quickswitch-for-i3/pull/24>.
+
+--- quickswitch-i3-2.2/quickswitch.py	2016-09-18 19:59:10.257765542 +0200
++++ quickswitch-i3-2.2/quickswitch.py	2016-09-21 10:43:01.277577819 +0200
+@@ -24,9 +24,10 @@
+ 
+ import argparse
+ import subprocess
+-import os
+ import re
+ 
++from distutils.spawn import find_executable
++
+ try:
+     import i3
+ except ImportError:
+@@ -37,11 +38,8 @@
+ 
+ def check_dmenu():
+     '''Check if dmenu is available.'''
+-    devnull = open(os.devnull)
+-    retcode = subprocess.call(["which", "dmenu"],
+-                              stdout=devnull,
+-                              stderr=devnull)
+-    return True if retcode == 0 else False
++    executable = find_executable("dmenu")
++    return executable != None
+ 
+ 
+ def dmenu(options, dmenu):

gnu/packages/shells.scm

@@ -281,8 +281,18 @@ ksh, and tcsh.")
         (uri (pypi-uri "xonsh" version))
         (sha256
           (base32
-            "0byxd9kjl99q2pyvjh9jy18l0di1i35wr0qqgnw4i6jh6ig3zcki"))))
+            "0byxd9kjl99q2pyvjh9jy18l0di1i35wr0qqgnw4i6jh6ig3zcki"))
+        (modules '((guix build utils)))
+        (snippet
+         `(begin
+            ;; Delete bundled ply.
+            (delete-file-recursively "xonsh/ply")
+            (substitute* '("setup.py")
+              (("'xonsh\\.ply',") ""))
+            #t))))
     (build-system python-build-system)
+    (inputs
+     `(("python-ply" ,python-ply)))
     (home-page "http://xon.sh/")
     (synopsis "Python-ish shell")
     (description

gnu/packages/statistics.scm

@@ -3042,6 +3042,31 @@ black-and-white.  They are also designed to be perceived by readers with the
 most common form of color blindness.")
     (license license:x11)))
 
+(define-public r-viridislite
+  (package
+    (name "r-viridislite")
+    (version "0.1.3")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "viridisLite" version))
+       (sha256
+        (base32
+         "1b0fhj8i1m9jsz91gzag60k7vy7kk5xkdg31rc3h3spq96l66psp"))))
+    (properties `((upstream-name . "viridisLite")))
+    (build-system r-build-system)
+    (home-page "https://github.com/sjmgarnier/viridisLite")
+    (synopsis "Default color maps from matplotlib")
+    (description
+     "This package is a port of the new @code{matplotlib} color maps ('viridis',
+'magma', 'plasma' and 'inferno') to R.  matplotlib is a popular plotting
+library for Python.  These color maps are designed in such a way that they
+will analytically be perfectly perceptually-uniform, both in regular form and
+also when converted to black-and-white.  They are also designed to be
+perceived by readers with the most common form of color blindness.  This is
+the 'lite' version of the more complete @code{viridis} package.")
+    (license license:expat)))
+
 (define-public r-tidyr
   (package
     (name "r-tidyr")
@@ -3094,30 +3119,58 @@ and tidyr provides no margins or aggregation.")
 It uses and relies on grid graphics and formal (S4) classes and methods.")
     (license license:gpl2+)))
 
+(define-public r-purrr
+  (package
+    (name "r-purrr")
+    (version "0.2.2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "purrr" version))
+       (sha256
+        (base32
+         "0lss8q733nv7s154wargm6vnxq55qygnxakib8xdj4jv0y86sxc3"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-bh" ,r-bh)
+       ("r-dplyr" ,r-dplyr)
+       ("r-lazyeval" ,r-lazyeval)
+       ("r-magrittr" ,r-magrittr)
+       ("r-rcpp" ,r-rcpp)))
+    (home-page "https://github.com/hadley/purrr")
+    (synopsis "Functional programming tools")
+    (description
+     "This package completes R's functional programming tools with missing
+features present in other programming languages.")
+    (license license:gpl3+)))
+
 (define-public r-plotly
   (package
     (name "r-plotly")
-    (version "3.6.0")
+    (version "4.5.2")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "plotly" version))
               (sha256
                (base32
-                "15hvqa0sf4z6l6vvr614zjszfphwpv66zpc665iyiynq0pd1jv2c"))))
+                "08shs0qhy9js0fpj3d4rzfbwmw11ki3z5vg8jszfm6m69mfkgzw1"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-base64enc" ,r-base64enc)
        ("r-digest" ,r-digest)
+       ("r-dplyr" ,r-dplyr)
        ("r-ggplot2" ,r-ggplot2)
        ("r-hexbin" ,r-hexbin)
        ("r-htmlwidgets" ,r-htmlwidgets)
        ("r-httr" ,r-httr)
        ("r-jsonlite" ,r-jsonlite)
+       ("r-lazyeval" ,r-lazyeval)
        ("r-magrittr" ,r-magrittr)
-       ("r-plyr" ,r-plyr)
+       ("r-purrr" ,r-purrr)
        ("r-scales" ,r-scales)
+       ("r-tibble" ,r-tibble)
        ("r-tidyr" ,r-tidyr)
-       ("r-viridis" ,r-viridis)))
+       ("r-viridislite" ,r-viridislite)))
     (home-page "https://plot.ly/r")
     (synopsis "Create interactive web graphics")
     (description

gnu/packages/textutils.scm

@@ -102,7 +102,7 @@ libenca and several charset conversion libraries and tools.")
 (define-public utf8proc
   (package
     (name "utf8proc")
-    (version "1.3.1")
+    (version "2.0.2")
     (source
      (origin
        (method url-fetch)
@@ -111,7 +111,7 @@ libenca and several charset conversion libraries and tools.")
              version ".tar.gz"))
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
-        (base32 "1k48as5kjkar4yj3dwxyll8ykj4k723ib5a6mnw1g86q3zi0zdl3"))))
+        (base32 "140vib1m6n5kwzkw1n9fbsi5gl6xymbd7yndwqx1sj15aakak776"))))
     (build-system gnu-build-system)
     (arguments
      '(#:tests? #f ;no "check" target
@@ -124,7 +124,7 @@ libenca and several charset conversion libraries and tools.")
     (synopsis "C library for processing UTF-8 Unicode data")
     (description "utf8proc is a small C library that provides Unicode
 normalization, case-folding, and other operations for data in the UTF-8
-encoding, supporting Unicode version 7.0.")
+encoding, supporting Unicode version 9.0.0.")
     (license license:expat)))
 
 (define-public libgtextutils

gnu/packages/tmux.scm

@@ -32,7 +32,7 @@
 (define-public tmux
   (package
     (name "tmux")
-    (version "2.2")
+    (version "2.3")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -40,7 +40,7 @@
                     version "/tmux-" version ".tar.gz"))
              (sha256
               (base32
-               "1r0riry5vw604hc21087ffbkqgr6j4ia1rrsivz2k6grchdm8a5w"))))
+               "0aw5fcav8pa70ym391n4g6mh5vir34x35xhb09zdwhhg5w9kwcam"))))
     (build-system gnu-build-system)
     (inputs
      `(("libevent" ,libevent)

gnu/packages/video.scm

@@ -403,14 +403,14 @@ standards (MPEG-2, MPEG-4 ASP/H.263, MPEG-4 AVC/H.264, and VC-1/VMW3).")
 (define-public ffmpeg
   (package
     (name "ffmpeg")
-    (version "3.1.3")
+    (version "3.1.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://ffmpeg.org/releases/ffmpeg-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "08l8290gipm632dhrqndnphdpkc5ncqc1j3hxdx46r1a3q3mqmzq"))))
+               "0nvb2k0maj5g8llfg47j8z5xpvp4q3g9pab2pp6vpjd5vmwb6358"))))
     (build-system gnu-build-system)
     (inputs
      `(("fontconfig" ,fontconfig)

gnu/packages/wm.scm

@@ -11,6 +11,7 @@
 ;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
 ;;; Copyright © 2016 doncatnip <gnopap@gmail.com>
+;;; Copyright © 2016 Ivan Vilata i Balaguer <ivan@selidor.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -35,6 +36,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system haskell)
+  #:use-module (guix build-system python)
   #:use-module (gnu packages haskell)
   #:use-module (gnu packages base)
   #:use-module (gnu packages pkg-config)
@@ -59,6 +61,7 @@
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages imagemagick)
   #:use-module (gnu packages lua)
+  #:use-module (gnu packages suckless)
   #:use-module (guix download)
   #:use-module (guix git-download))
 
@@ -203,6 +206,92 @@ from scratch.  i3 is primarily targeted at advanced users and
 developers.")
     (license license:bsd-3)))
 
+(define-public python-i3-py
+  (package
+    (name "python-i3-py")
+    (version "0.6.5")
+    (source
+     (origin
+       ;; The latest release is not tagged in Git nor has an entry in PyPi,
+       ;; but there is still a clear commit for it, and it's been the last one
+       ;; for years.
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/ziberna/i3-py.git")
+             (commit "27f88a616e9ecc340e7d041d3d00782f8a1964c1")))
+       (sha256
+        (base32
+         "1nm719dc2xqlll7vj4c4m7mpjb27lpn3bg3c66gajvnrz2x1nmxs"))
+       (file-name (string-append name "-" version "-checkout"))))
+    (build-system python-build-system)
+    (arguments
+     `(#:tests? #f ; no tests yet
+       #:phases (modify-phases %standard-phases
+                  (add-after 'install 'install-doc
+                    ;; Copy readme file to documentation directory.
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((doc (string-append (assoc-ref outputs "out")
+                                                "/share/doc/" ,name)))
+                        (install-file "README.md" doc)
+                        ;; Avoid unspecified return value.
+                        #t))))))
+    (propagated-inputs
+     `(("i3-wm" ,i3-wm)))
+    (home-page "https://github.com/ziberna/i3-py")
+    (synopsis "Python interface to the i3 window manager")
+    (description "This package allows you to interact from a Python program
+with the i3 window manager via its IPC socket.  It can send commands and other
+kinds of messages to i3, select the affected containers, filter results and
+subscribe to events.")
+    (license license:gpl3+)))
+
+(define-public python2-i3-py
+  (package-with-python2 python-i3-py))
+
+(define-public quickswitch-i3
+  (let ((commit "ed692b1e8f43b95bd907ced26238ce8ccb2ed28f")
+        (revision "1")) ; Guix package revision
+    (package
+      (name "quickswitch-i3")
+      (version (string-append "2.2-" revision "."
+                              (string-take commit 7)))
+      (source
+       (origin
+         ;; The latest commit is a few years old and just a couple commits
+         ;; after the last tagged release, so we use that latest commit
+         ;; instead of the release.
+         (method git-fetch)
+         (uri (git-reference
+               (url "https://github.com/proxypoke/quickswitch-for-i3.git")
+               (commit commit)))
+         (sha256
+          (base32
+           "0447077sama80jcdg5p64zjsvafmz5rbdrirhm1adcdjhkh6iqc5"))
+         (patches (search-patches "quickswitch-fix-dmenu-check.patch"))
+         (file-name (string-append name "-" version "-checkout"))))
+      (build-system python-build-system)
+      (arguments
+       `(#:tests? #f ; no tests yet
+         #:phases (modify-phases %standard-phases
+                    (add-after 'install 'install-doc
+                      ;; Copy readme file to documentation directory.
+                      (lambda* (#:key outputs #:allow-other-keys)
+                        (let ((doc (string-append (assoc-ref outputs "out")
+                                                  "/share/doc/" ,name)))
+                          (install-file "README.rst" doc)
+                          ;; Avoid unspecified return value.
+                          #t))))))
+      (inputs
+       `(("python-i3-py" ,python-i3-py)
+         ("dmenu" ,dmenu)))
+      (home-page "https://github.com/proxypoke/quickswitch-for-i3")
+      (synopsis "Quickly change to and locate windows in the i3 window manager")
+      (description
+       "This utility for the i3 window manager allows you to quickly switch to
+and locate windows on all your workspaces, using an interactive dmenu
+prompt.")
+      (license (license:non-copyleft "http://www.wtfpl.net/txt/copying/")))))
+
 (define-public xmonad
   (package
     (name "xmonad")

gnu/services/admin.scm

@@ -0,0 +1,119 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of thye GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services admin)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages base)
+  #:use-module (gnu services)
+  #:use-module (gnu services mcron)
+  #:use-module (gnu services shepherd)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:use-module (guix records)
+  #:use-module (srfi srfi-1)
+  #:export (%default-rotations
+            %rotated-files
+            rottlog-configuration
+            rottlog-configuration?
+            rottlog-service
+            rottlog-service-type))
+
+;;; Commentary:
+;;;
+;;; This module implements configuration of rottlog by writing
+;;; /etc/rottlog/{rc,hourly|daily|weekly}.  Example usage
+;;;
+;;;     (mcron-service)
+;;;     (service rottlog-service-type (rottlog-configuration))
+;;;
+;;; Code:
+
+(define %rotated-files
+  ;; Syslog files subject to rotation.
+  '("/var/log/messages" "/var/log/secure" "/var/log/maillog"))
+
+(define (syslog-rotation-config files)
+  #~(string-append #$(string-join files ",")
+                 " {
+        sharedscripts
+        postrotate
+        " #$coreutils "/bin/kill -HUP $(cat /var/run/syslog.pid) 2> /dev/null
+        endscript
+}
+"))
+
+(define (simple-rotation-config file)
+  (string-append file " {
+        sharedscripts
+}
+"))
+
+(define %default-rotations
+  `(("weekly"
+     ,(computed-file "rottlog.weekly"
+                     #~(call-with-output-file #$output
+                         (lambda (port)
+                           (display #$(syslog-rotation-config %rotated-files)
+                                    port)
+                           (display #$(simple-rotation-config
+                                       "/var/log/shepherd.log")
+                                    port)))))))
+
+(define (default-jobs rottlog)
+  (list #~(job '(next-hour '(0))                  ;midnight
+               (lambda ()
+                 (system* #$(file-append rottlog "/sbin/rottlog"))))
+        #~(job '(next-hour '(12))                 ;noon
+               (lambda ()
+                 (system* #$(file-append rottlog "/sbin/rottlog"))))))
+
+(define-record-type* <rottlog-configuration>
+  rottlog-configuration make-rottlog-configuration
+  rottlog-configuration?
+  (rottlog            rottlog-rottlog             ;package
+                      (default rottlog))
+  (rc-file            rottlog-rc-file             ;file-like
+                      (default (file-append rottlog "/etc/rc")))
+  (periodic-rotations rottlog-periodic-rotations  ;list of (name file) tuples
+                      (default %default-rotations))
+  (jobs               rottlog-jobs                ;list of <mcron-job>
+                      (default #f)))
+
+(define (rottlog-etc config)
+  `(("rottlog" ,(file-union "rottlog"
+                            (cons `("rc" ,(rottlog-rc-file config))
+                                  (rottlog-periodic-rotations config))))))
+
+(define (rottlog-jobs-or-default config)
+  (or (rottlog-jobs config)
+      (default-jobs (rottlog-rottlog config))))
+
+(define rottlog-service-type
+  (service-type
+   (name 'rottlog)
+   (extensions (list (service-extension etc-service-type rottlog-etc)
+                     (service-extension mcron-service-type
+                                        rottlog-jobs-or-default)
+
+                     ;; Add Rottlog to the global profile so users can access
+                     ;; the documentation.
+                     (service-extension profile-service-type
+                                        (compose list rottlog-rottlog))))))
+
+;;; admin.scm ends here

gnu/services/nfs.scm

@@ -38,11 +38,11 @@
   (shepherd-service-type
    'rpcbind
    (lambda (config)
-     (define pkg
+     (define nfs-utils
        (rpcbind-configuration-rpcbind config))
 
      (define rpcbind-command
-       #~(list (string-append #$pkg "/bin/rpcbind") "-f"
+       #~(list (string-append #$nfs-utils "/bin/rpcbind") "-f"
                #$@(if (rpcbind-configuration-warm-start? config) '("-w") '())))
 
      (shepherd-service

gnu/services/ssh.scm

@@ -50,7 +50,6 @@
 ;;;
 ;;; Code:
 
-;; TODO: Export.
 (define-record-type* <lsh-configuration>
   lsh-configuration make-lsh-configuration
   lsh-configuration?
@@ -261,15 +260,24 @@ The other options should be self-descriptive."
 (define-record-type* <openssh-configuration>
   openssh-configuration make-openssh-configuration
   openssh-configuration?
-  (pid-file              openssh-configuration-pid-file) ;string
+  (pid-file              openssh-configuration-pid-file
-  (port-number           openssh-configuration-port-number) ;integer
+                         (default "/var/run/sshd.pid"))
-  (permit-root-login     openssh-configuration-permit-root-login) ;Boolean | 'without-password
+  (port-number           openssh-configuration-port-number ;integer
-  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean
+                         (default 22))
-  (password-authentication? openssh-configuration-password-authentication?) ;Boolean
+  (permit-root-login     openssh-configuration-permit-root-login ;Boolean | 'without-password
-  (pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean
+                         (default #f))
-  (rsa-authentication?   openssh-configuration-rsa-authentication?) ;Boolean
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
-  (x11-forwarding?       openssh-configuration-x11-forwarding?) ;Boolean
+                          (default #f))
-  (protocol-number       openssh-configuration-protocol-number)) ;integer
+  (password-authentication? openssh-configuration-password-authentication? ;Boolean
+                            (default #t))
+  (public-key-authentication? openssh-configuration-public-key-authentication?
+                              (default #t))                         ;Boolean
+  (rsa-authentication?   openssh-configuration-rsa-authentication?  ;Boolean
+                         (default #t))
+  (x11-forwarding?       openssh-configuration-x11-forwarding? ;Boolean
+                         (default #f))
+  (protocol-number       openssh-configuration-protocol-number ;integer
+                         (default 2)))
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -314,7 +322,7 @@ The other options should be self-descriptive."
                  #$(if (openssh-configuration-password-authentication? config)
                        "yes" "no"))
          (format port "PubkeyAuthentication ~a\n"
-                 #$(if (openssh-configuration-pubkey-authentication? config)
+                 #$(if (openssh-configuration-public-key-authentication? config)
                        "yes" "no"))
          (format port "RSAAuthentication ~a\n"
                  #$(if (openssh-configuration-rsa-authentication? config)
@@ -354,27 +362,6 @@ The other options should be self-descriptive."
                        (service-extension account-service-type
                                           (const %openssh-accounts))))))
 
-(define* (openssh-service #:key
-                          (pid-file "/var/run/sshd.pid")
-                          (port-number 22)
-                          (permit-root-login 'without-password)
-                          (allow-empty-passwords? #f)
-                          (password-authentication? #t)
-                          (pubkey-authentication? #t)
-                          (rsa-authentication? #t)
-                          (x11-forwarding? #f)
-                          (protocol-number 2))
-  (service openssh-service-type (openssh-configuration
-                                 (pid-file pid-file)
-                                 (port-number port-number)
-                                 (permit-root-login permit-root-login)
-                                 (allow-empty-passwords? allow-empty-passwords?)
-                                 (password-authentication? password-authentication?)
-                                 (pubkey-authentication? pubkey-authentication?)
-                                 (rsa-authentication? rsa-authentication?)
-                                 (x11-forwarding? x11-forwarding?)
-                                 (protocol-number protocol-number))))
-
 
 ;;;
 ;;; Dropbear.

gnu/tests/ssh.scm

@@ -0,0 +1,193 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests ssh)
+  #:use-module (gnu tests)
+  #:use-module (gnu system)
+  #:use-module (gnu system grub)
+  #:use-module (gnu system file-systems)
+  #:use-module (gnu system shadow)
+  #:use-module (gnu system vm)
+  #:use-module (gnu services)
+  #:use-module (gnu services base)
+  #:use-module (gnu services ssh)
+  #:use-module (gnu services networking)
+  #:use-module (gnu packages ssh)
+  #:use-module (guix gexp)
+  #:use-module (guix store)
+  #:use-module (guix monads)
+  #:export (%test-openssh
+            %test-dropbear))
+
+(define %base-os
+  (operating-system
+    (host-name "komputilo")
+    (timezone "Europe/Berlin")
+    (locale "en_US.UTF-8")
+
+    (bootloader (grub-configuration (device "/dev/sdX")))
+    (file-systems %base-file-systems)
+    (firmware '())
+    (users %base-user-accounts)
+    (services (cons (dhcp-client-service)
+                    %base-services))))
+
+(define (os-with-service service)
+  "Return a test operating system that runs SERVICE."
+  (operating-system
+    (inherit %base-os)
+    (services (cons service
+                    (operating-system-user-services %base-os)))))
+
+(define (run-ssh-test name ssh-service pid-file)
+  "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
+SSH-SERVICE must be configured to listen on port 22 and to allow for root and
+empty-password logins."
+  (mlet* %store-monad ((os ->   (marionette-operating-system
+                                 (os-with-service ssh-service)
+                                 #:imported-modules '((gnu services herd)
+                                                      (guix combinators))))
+                       (command (system-qemu-image/shared-store-script
+                                 os #:graphic? #f)))
+    (define test
+      (with-imported-modules '((gnu build marionette))
+        #~(begin
+            (eval-when (expand load eval)
+              ;; Prepare to use Guile-SSH.
+              (set! %load-path
+                (cons (string-append #$guile-ssh "/share/guile/site/"
+                                     (effective-version))
+                      %load-path)))
+
+            (use-modules (gnu build marionette)
+                         (srfi srfi-26)
+                         (srfi srfi-64)
+                         (ice-9 match)
+                         (ssh session)
+                         (ssh auth)
+                         (ssh channel))
+
+            (define marionette
+              ;; Enable TCP forwarding of the guest's port 22.
+              (make-marionette (list #$command "-net"
+                                     "user,hostfwd=tcp::2222-:22")))
+
+            (define (wait-for-file file)
+              ;; Wait until FILE exists in the guest; 'read' its content and
+              ;; return it.
+              (marionette-eval
+               `(let loop ((i 10))
+                  (cond ((file-exists? ,file)
+                         (call-with-input-file ,file read))
+                        ((> i 0)
+                         (sleep 1)
+                         (loop (- i 1)))
+                        (else
+                         (error "file didn't show up" ,file))))
+               marionette))
+
+            (mkdir #$output)
+            (chdir #$output)
+
+            (test-begin "ssh-daemon")
+
+            ;; Wait for sshd to be up and running.
+            (test-eq "service running"
+              'running!
+              (marionette-eval
+               '(begin
+                  (use-modules (gnu services herd))
+                  (start-service 'ssh-daemon)
+                  'running!)
+               marionette))
+
+            ;; Check sshd's PID file.
+            (test-equal "sshd PID"
+              (wait-for-file #$pid-file)
+              (marionette-eval
+               '(begin
+                  (use-modules (gnu services herd)
+                               (srfi srfi-1))
+
+                  (live-service-running
+                   (find (lambda (live)
+                           (memq 'ssh-daemon
+                                 (live-service-provision live)))
+                         (current-services))))
+               marionette))
+
+            ;; Connect to the guest over SSH.  We should be able to connect as
+            ;; "root" with an empty password.  Make sure we can run a shell
+            ;; command there.
+            (test-equal "connect"
+              'hello
+              (let* ((session (make-session #:user "root"
+                                            #:port 2222 #:host "localhost"
+                                            #:log-verbosity 'protocol)))
+                (match (connect! session)
+                  ('ok
+                   ;; Try the simple authentication methods.  Dropbear
+                   ;; requires 'none' when there are no passwords, whereas
+                   ;; OpenSSH accepts 'password' with an empty password.
+                   (let loop ((methods (list (cut userauth-password! <> "")
+                                             (cut userauth-none! <>))))
+                     (match methods
+                       (()
+                        (error "all the authentication methods failed"))
+                       ((auth rest ...)
+                        (match (pk 'auth (auth session))
+                          ('success
+                           ;; FIXME: 'get-server-public-key' segfaults.
+                           ;; (get-server-public-key session)
+                           (let ((channel (make-channel session)))
+                             (channel-open-session channel)
+                             (channel-request-exec channel
+                                                   "echo hello > /root/witness")
+                             (and (zero? (channel-get-exit-status channel))
+                                  (wait-for-file "/root/witness"))))
+                          ('denied
+                           (loop rest))))))))))
+
+            (test-end)
+            (exit (= (test-runner-fail-count (test-runner-current)) 0)))))
+
+    (gexp->derivation name test)))
+
+(define %test-openssh
+  (system-test
+   (name "openssh")
+   (description "Connect to a running OpenSSH daemon.")
+   (value (run-ssh-test name
+                        ;; Allow root logins with an empty password to
+                        ;; simplify testing.
+                        (service openssh-service-type
+                                 (openssh-configuration
+                                  (permit-root-login #t)
+                                  (allow-empty-passwords? #t)))
+                        "/var/run/sshd.pid"))))
+
+(define %test-dropbear
+  (system-test
+   (name "dropbear")
+   (description "Connect to a running Dropbear SSH daemon.")
+   (value (run-ssh-test name
+                        (service dropbear-service-type
+                                 (dropbear-configuration
+                                  (root-login? #t)
+                                  (allow-empty-passwords? #t)))
+                        "/var/run/dropbear.pid"))))

guix/build/pull.scm

@@ -125,6 +125,9 @@ containing the source code.  Write any debugging output to DEBUG-PORT."
       (newline)
       (let ((mutex (make-mutex))
             (completed 0))
+        ;; Make sure compilation related modules are loaded before starting to
+        ;; compile files in parallel.
+        (compile #f)
         (par-for-each
          (lambda (file)
            (with-mutex mutex

tests/guix-build.sh

@@ -26,9 +26,9 @@ guix build --version
 if guix build -e +;
 then false; else true; fi
 
-# Should fail because this is a source-less package.
+# Source-less packages are accepted; they just return nothing.
-if guix build -e '(@ (gnu packages bootstrap) %bootstrap-glibc)' -S
+guix build -e '(@ (gnu packages bootstrap) %bootstrap-glibc)' -S
-then false; else true; fi
+test "`guix build -e '(@ (gnu packages bootstrap) %bootstrap-glibc)' -S`" = ""
 
 # Should pass.
 guix build -e '(@@ (gnu packages bootstrap) %bootstrap-guile)' |	\