115 files changed, 2482 insertions, 1061 deletions

diff --git a/config-daemon.ac b/config-daemon.ac
index 848e1e58da..50ead355a8 100644
--- a/config-daemon.ac
+++ b/config-daemon.ac
@@ -91,8 +91,9 @@ if test "x$guix_build_daemon" = "xyes"; then
   dnl sched_setaffinity: to improve RPC locality.
   dnl statvfs: to detect disk-full conditions.
   dnl strsignal: for error reporting.
+  dnl statx: fine-grain 'stat' call, new in glibc 2.28.
   AC_CHECK_FUNCS([lutimes lchown posix_fallocate sched_setaffinity \
-     statvfs nanosleep strsignal])
+     statvfs nanosleep strsignal statx])
 
   dnl Check whether the store optimiser can optimise symlinks.
   AC_MSG_CHECKING([whether it is possible to create a link to a symlink])
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 869b9666df..7c3860fbf5 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -111,9 +111,10 @@ REPL} by running @code{guile} from the command line.
 Alternatively you can also run @code{guix environment --ad-hoc guile -- guile}
 if you'd rather not have Guile installed in your user profile.
 
-In the following examples we use the @code{>} symbol to denote the REPL
-prompt, that is, the line reserved for user input.  @xref{Using Guile
-Interactively,,, guile, GNU Guile Reference Manual}) for more details on the
+In the following examples, lines show what you would type at the REPL;
+lines starting with ``@result{}'' show evaluation results, while lines
+starting with ``@print{}'' show things that get printed.  @xref{Using Guile
+Interactively,,, guile, GNU Guile Reference Manual}), for more details on the
 REPL.
 
 @itemize
@@ -121,17 +122,20 @@ REPL.
 Scheme syntax boils down to a tree of expressions (or @emph{s-expression} in
 Lisp lingo).  An expression can be a literal such as numbers and strings, or a
 compound which is a parenthesized list of compounds and literals.  @code{#t}
-and @code{#f} stand for the booleans "true" and "false", respectively.
+and @code{#f} stand for the Booleans ``true'' and ``false'', respectively.
 
 Examples of valid expressions:
 
 @lisp
-> "Hello World!"
 "Hello World!"
-> 17
+@result{} "Hello World!"
+
 17
-> (display (string-append "Hello " "Guix" "\n"))
-"Hello Guix!"
+@result{} 17
+
+(display (string-append "Hello " "Guix" "\n"))
+@print{} Hello Guix!
+@result{} #<unspecified>
 @end lisp
 
 @item
@@ -144,8 +148,8 @@ last evaluated expression as its return value.
 Anonymous functions are declared with the @code{lambda} term:
 
 @lisp
-> (lambda (x) (* x x))
-#<procedure 120e348 at <unknown port>:24:0 (x)>
+(lambda (x) (* x x))
+@result{} #<procedure 120e348 at <unknown port>:24:0 (x)>
 @end lisp
 
 The above procedure returns the square of its argument.  Since everything is
@@ -153,18 +157,18 @@ an expression, the @code{lambda} expression returns an anonymous procedure,
 which can in turn be applied to an argument:
 
 @lisp
-> ((lambda (x) (* x x)) 3)
-9
+((lambda (x) (* x x)) 3)
+@result{} 9
 @end lisp
 
 @item
 Anything can be assigned a global name with @code{define}:
 
 @lisp
-> (define a 3)
-> (define square (lambda (x) (* x x)))
-> (square a)
-9
+(define a 3)
+(define square (lambda (x) (* x x)))
+(square a)
+@result{} 9
 @end lisp
 
 @item
@@ -178,58 +182,63 @@ Procedures can be defined more concisely with the following syntax:
 A list structure can be created with the @code{list} procedure:
 
 @lisp
-> (list 2 a 5 7)
-(2 3 5 7)
+(list 2 a 5 7)
+@result{} (2 3 5 7)
 @end lisp
 
 @item
-The @emph{quote} disables evaluation of a parenthesized expression: the first
-term is not called over the other terms.  Thus it effectively returns a list
-of terms.
+The @dfn{quote} disables evaluation of a parenthesized expression: the
+first term is not called over the other terms (@pxref{Expression Syntax,
+quote,, guile, GNU Guile Reference Manual}).  Thus it effectively
+returns a list of terms.
 
 @lisp
-> '(display (string-append "Hello " "Guix" "\n"))
-(display (string-append "Hello " "Guix" "\n"))
-> '(2 a 5 7)
-(2 a 5 7)
+'(display (string-append "Hello " "Guix" "\n"))
+@result{} (display (string-append "Hello " "Guix" "\n"))
+
+'(2 a 5 7)
+@result{} (2 a 5 7)
 @end lisp
 
 @item
-The @emph{quasiquote} disables evaluation of a parenthesized expression until
-a comma re-enables it.  Thus it provides us with fine-grained control over
-what is evaluated and what is not.
+The @dfn{quasiquote} disables evaluation of a parenthesized expression
+until @dfn{unquote} (a comma) re-enables it.  Thus it provides us with
+fine-grained control over what is evaluated and what is not.
 
 @lisp
-> `(2 a 5 7 (2 ,a 5 ,(+ a 4)))
-(2 a 5 7 (2 3 5 7))
+`(2 a 5 7 (2 ,a 5 ,(+ a 4)))
+@result{} (2 a 5 7 (2 3 5 7))
 @end lisp
 
 Note that the above result is a list of mixed elements: numbers, symbols (here
 @code{a}) and the last element is a list itself.
 
 @item
-Multiple variables can be named locally with @code{let}:
+Multiple variables can be named locally with @code{let} (@pxref{Local
+Bindings,,, guile, GNU Guile Reference Manual}):
 
 @lisp
-> (define x 10)
-> (let ((x 2)
-        (y 3))
-    (list x y))
-(2 3)
-> x
-10
-> y
-ERROR: In procedure module-lookup: Unbound variable: y
+(define x 10)
+(let ((x 2)
+      (y 3))
+  (list x y))
+@result{} (2 3)
+
+x
+@result{} 10
+
+y
+@error{} In procedure module-lookup: Unbound variable: y
 @end lisp
 
 Use @code{let*} to allow later variable declarations to refer to earlier
 definitions.
 
 @lisp
-> (let* ((x 2)
-         (y (* x 3)))
-    (list x y))
-(2 6)
+(let* ((x 2)
+       (y (* x 3)))
+  (list x y))
+@result{} (2 6)
 @end lisp
 
 @item
@@ -242,7 +251,8 @@ the build stage.  Note that it is merely a convention, like @code{_} in C.
 Scheme treats @code{%} exactly the same as any other letter.
 
 @item
-Modules are created with @code{define-module}.  For instance
+Modules are created with @code{define-module} (@pxref{Creating Guile
+Modules,,, guile, GNU Guile Reference Manual}).  For instance
 
 @lisp
 (define-module (guix build-system ruby)
@@ -331,14 +341,14 @@ It does not assume much knowledge of the Guix system nor of the Lisp language.
 The reader is only expected to be familiar with the command line and to have some
 basic programming knowledge.
 
-@node A "Hello World" package
-@subsection A "Hello World" package
+@node A ``Hello World'' package
+@subsection A ``Hello World'' package
 
-The “Defining Packages” section of the manual introduces the basics of Guix
+The ``Defining Packages'' section of the manual introduces the basics of Guix
 packaging (@pxref{Defining Packages,,, guix, GNU Guix Reference Manual}).  In
 the following section, we will partly go over those basics again.
 
-``GNU hello'' is a dummy project that serves as an idiomatic example for
+GNU@tie{}Hello is a dummy project that serves as an idiomatic example for
 packaging.  It uses the GNU build system (@code{./configure && make && make
 install}).  Guix already provides a package definition which is a perfect
 example to start with.  You can look up its declaration with @code{guix edit
@@ -416,10 +426,10 @@ available licenses.
 @end table
 
 Time to build our first package!  Nothing fancy here for now: we will stick to a
-dummy "my-hello", a copy of the above declaration.
+dummy @code{my-hello}, a copy of the above declaration.
 
-As with the ritualistic "Hello World" taught with most programming languages,
-this will possibly be the most "manual" approach.  We will work out an ideal
+As with the ritualistic ``Hello World'' taught with most programming languages,
+this will possibly be the most ``manual'' approach.  We will work out an ideal
 setup later; for now we will go the simplest route.
 
 Save the following to a file @file{my-hello.scm}.
@@ -554,20 +564,20 @@ earlier example.
 
 The @code{use-modules} expression tells which of the modules we need in the file.
 Modules are a collection of values and procedures.  They are commonly called
-"libraries" or "packages" in other programming languages.
+``libraries'' or ``packages'' in other programming languages.
 
 @node @samp{GUIX_PACKAGE_PATH}
 @subsubsection @samp{GUIX_PACKAGE_PATH}
 
-@emph{Note: Starting from Guix 0.16, the more flexible Guix "channels" are the
+@emph{Note: Starting from Guix 0.16, the more flexible Guix @dfn{channels} are the
 preferred way and supersede @samp{GUIX_PACKAGE_PATH}.  See next section.}
 
 It can be tedious to specify the file from the command line instead of simply
 calling @code{guix package --install my-hello} as you would do with the official
 packages.
 
-Guix makes it possible to streamline the process by adding as many "package
-declaration paths" as you want.
+Guix makes it possible to streamline the process by adding as many ``package
+declaration directories'' as you want.
 
 Create a directory, say @samp{~./guix-packages} and add it to the @samp{GUIX_PACKAGE_PATH}
 environment variable:
@@ -581,7 +591,7 @@ To add several directories, separate them with a colon (@code{:}).
 
 Our previous @samp{my-hello} needs some adjustments though:
 
-@example
+@lisp
 (define-module (my-hello)
   #:use-module (guix licenses)
   #:use-module (guix packages)
@@ -607,7 +617,7 @@ serves as an example of standard GNU coding practices.  As such, it supports
 command-line arguments, multiple languages, and so on.")
     (home-page "https://www.gnu.org/software/hello/")
     (license gpl3+)))
-@end example
+@end lisp
 
 Note that we have assigned the package value to an exported variable name with
 @code{define-public}.  This is effectively assigning the package to the @code{my-hello}
@@ -619,14 +629,14 @@ will fail because the last expression, @code{define-public}, does not return a
 package.  If you want to use @code{define-public} in this use-case nonetheless, make
 sure the file ends with an evaluation of @code{my-hello}:
 
-@example
+@lisp
 ; ...
 (define-public my-hello
   ; ...
   )
 
 my-hello
-@end example
+@end lisp
 
 This last example is not very typical.
 
@@ -670,7 +680,7 @@ In the rest of this article, we use @samp{$GUIX_CHECKOUT} to refer to the locati
 the checkout.
 
 
-Follow the instruction in the manual (@pxref{Contributing,,, guix, GNU Guix
+Follow the instructions in the manual (@pxref{Contributing,,, guix, GNU Guix
 Reference Manual}) to set up the repository environment.
 
 Once ready, you should be able to use the package definitions from the
@@ -679,7 +689,8 @@ repository environment.
 Feel free to edit package definitions found in @samp{$GUIX_CHECKOUT/gnu/packages}.
 
 The @samp{$GUIX_CHECKOUT/pre-inst-env} script lets you use @samp{guix} over the package
-collection of the repository.
+collection of the repository (@pxref{Running Guix Before It Is
+Installed,,, guix, GNU Guix Reference Manual}).
 
 @itemize
 @item
@@ -735,11 +746,11 @@ It's a community effort so the more join in, the better Guix becomes!
 @node Extended example
 @subsection Extended example
 
-The above "Hello World" example is as simple as it goes.  Packages can be more
+The above ``Hello World'' example is as simple as it goes.  Packages can be more
 complex than that and Guix can handle more advanced scenarios.  Let's look at
 another, more sophisticated package (slightly modified from the source):
 
-@example
+@lisp
 (define-module (gnu packages version-control)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix utils)
@@ -812,7 +823,7 @@ provided as a re-entrant linkable library with a solid API, allowing you to
 write native speed custom Git applications in any language with bindings.")
       ;; GPLv2 with linking exception
       (license license:gpl2))))
-@end example
+@end lisp
 
 (In those cases were you only want to tweak a few fields from a package
 definition, you should rely on inheritance instead of copy-pasting everything.
@@ -840,9 +851,7 @@ version when packaging programs for a specific commit.
 Snippets are quoted (i.e. non-evaluated) Scheme code that are a means of patching
 the source.  They are a Guix-y alternative to the traditional @samp{.patch} files.
 Because of the quote, the code in only evaluated when passed to the Guix daemon
-for building.
-
-There can be as many snippet as needed.
+for building.  There can be as many snippets as needed.
 
 Snippets might need additional Guile modules which can be imported from the
 @code{modules} field.
@@ -851,17 +860,17 @@ Snippets might need additional Guile modules which can be imported from the
 
 First, a syntactic comment: See the quasi-quote / comma syntax?
 
-@example
+@lisp
     (native-inputs
      `(("pkg-config" ,pkg-config)))
-@end example
+@end lisp
 
 is equivalent to
 
-@example
+@lisp
     (native-inputs
      (list (list "pkg-config" pkg-config)))
-@end example
+@end lisp
 
 You'll mostly see the former because it's shorter.
 
@@ -883,7 +892,7 @@ being present at build time.
 
 The distinction between the various inputs is important: if a dependency can be
 handled as an @emph{input} instead of a @emph{propagated input}, it should be done so, or
-else it "pollutes" the user profile for no good reason.
+else it ``pollutes'' the user profile for no good reason.
 
 For instance, a user installing a graphical program that depends on a
 command line tool might only be interested in the graphical part, so there is no
@@ -930,10 +939,10 @@ Another  common argument is @code{:make-flags}, which specifies a list of flags
 append when running make, as you would from the command line.  For instance, the
 following flags
 
-@example
+@lisp
 #:make-flags (list (string-append "prefix=" (assoc-ref %outputs "out"))
                    "CC=gcc")
-@end example
+@end lisp
 
 translate into
 
@@ -946,11 +955,11 @@ directory in Make parlance) to @code{(assoc-ref %outputs "out")}, which is a bui
 global variable pointing to the destination directory in the store (something like
 @samp{/gnu/store/...-my-libgit2-20180408}).
 
-Similarly, it's possible to set the "configure" flags.
+Similarly, it's possible to set the configure flags:
 
-@example
+@lisp
 #:configure-flags '("-DUSE_SHA1DC=ON")
-@end example
+@end lisp
 
 The @code{%build-inputs} variable is also generated in scope.  It's an association
 table that maps the input names to their store directories.
@@ -960,7 +969,7 @@ phases include @code{unpack}, @code{configure}, @code{build}, @code{install} and
 more about those phases, you need to work out the appropriate build system
 definition in @samp{$GUIX_CHECKOUT/guix/build/gnu-build-system.scm}:
 
-@example
+@lisp
 (define %standard-phases
   ;; Standard build phases, as a list of symbol/procedure pairs.
   (let-syntax ((phases (syntax-rules ()
@@ -978,16 +987,16 @@ definition in @samp{$GUIX_CHECKOUT/guix/build/gnu-build-system.scm}:
             install-license-files
             reset-gzip-timestamps
             compress-documentation)))
-@end example
+@end lisp
 
 Or from the REPL:
 
-@example
-> (add-to-load-path "/path/to/guix/checkout")
-> ,module (guix build gnu-build-system)
-> (map first %standard-phases)
-(set-SOURCE-DATE-EPOCH set-paths install-locale unpack bootstrap patch-usr-bin-file patch-source-shebangs configure patch-generated-file-shebangs build check install patch-shebangs strip validate-runpath validate-documentation-location delete-info-dir-file patch-dot-desktop-files install-license-files reset-gzip-timestamps compress-documentation)
-@end example
+@lisp
+(add-to-load-path "/path/to/guix/checkout")
+,use (guix build gnu-build-system)
+(map first %standard-phases)
+@result{} (set-SOURCE-DATE-EPOCH set-paths install-locale unpack bootstrap patch-usr-bin-file patch-source-shebangs configure patch-generated-file-shebangs build check install patch-shebangs strip validate-runpath validate-documentation-location delete-info-dir-file patch-dot-desktop-files install-license-files reset-gzip-timestamps compress-documentation)
+@end lisp
 
 If you want to know more about what happens during those phases, consult the
 associated procedures.
@@ -995,7 +1004,7 @@ associated procedures.
 For instance, as of this writing the definition of @code{unpack} for the GNU build
 system is
 
-@example
+@lisp
 (define* (unpack #:key source #:allow-other-keys)
   "Unpack SOURCE in the working directory, and change directory within the
 source.  When SOURCE is a directory, copy it in a sub-directory of the current
@@ -1015,7 +1024,7 @@ working directory."
             (invoke "tar" "xvf" source))
         (chdir (first-subdirectory "."))))
   #t)
-@end example
+@end lisp
 
 Note the @code{chdir} call: it changes the working directory to where the source was
 unpacked.
@@ -1045,14 +1054,14 @@ by their name in those variables.  Thus @code{(assoc-ref outputs "out")} is the
 directory of the main output of the package.  A phase procedure may look like
 this:
 
-@example
+@lisp
 (lambda* (#:key inputs outputs #:allow-other-keys)
   (let (((bash-directory (assoc-ref inputs "bash"))
          (output-directory (assoc-ref outputs "out"))
          (doc-directory (assoc-ref outputs "doc"))
   ; ...
   #t)
-@end example
+@end lisp
 
 The procedure must return @code{#t} on success.  It's brittle to rely on the return
 value of the last expression used to tweak the phase because there is no
@@ -1066,11 +1075,11 @@ argument field.  Indeed, the build code in the package declaration should not be
 evaluated on the client side, but only when passed to the Guix daemon.  This
 mechanism of passing code around two running processes is called @uref{https://arxiv.org/abs/1709.00833, code staging}.
 
-@subsubsection "Utils" functions
+@subsubsection Utility functions
 
 When customizing @code{phases}, we often need to write code that mimics the
 equivalent system invocations (@code{make}, @code{mkdir}, @code{cp}, etc.) commonly used during
-regular "Unix-style" installations.
+regular ``Unix-style'' installations.
 
 Some like @code{chmod} are native to Guile.
 @xref{,,, guile, Guile reference manual} for a complete list.
@@ -1103,7 +1112,7 @@ Run an executable.  This should be used instead of @code{system*}.
 Run the body in a different working directory,
 then restore the previous working directory.
 @item substitute*
-A "sed-like" function.
+A ``@command{sed}-like'' function.
 @end table
 
 @subsubsection Module prefix
@@ -1233,7 +1242,7 @@ $ guix refresh hello --update
 If you've started browsing the existing package definitions, you might have
 noticed that a significant number of them have a @code{inherit} field:
 
-@example
+@lisp
 (define-public adwaita-icon-theme
   (package (inherit gnome-icon-theme)
     (name "adwaita-icon-theme")
@@ -1248,7 +1257,7 @@ noticed that a significant number of them have a @code{inherit} field:
                 "17fpahgh5dyckgz7rwqvzgnhx53cx9kr2xw0szprc6bnqy977fi8"))))
     (native-inputs
      `(("gtk-encode-symbolic-svg" ,gtk+ "bin")))))
-@end example
+@end lisp
 
 All unspecified fields are inherited from the parent package.  This is very
 convenient to create alternative packages, for instance with different source,
@@ -1299,7 +1308,7 @@ The @uref{https://www.gnu.org/software/guix/manual/en/html_node/Defining-Package
 @uref{https://gitlab.com/pjotrp/guix-notes/blob/master/HACKING.org, Pjotr’s hacking guide to GNU Guix}
 
 @item
-@uref{https://www.gnu.org/software/guix/guix-ghm-andreas-20130823.pdf, "GNU Guix: Package without a scheme!"}, by Andreas Enge
+@uref{https://www.gnu.org/software/guix/guix-ghm-andreas-20130823.pdf, ``GNU Guix: Package without a scheme!''}, by Andreas Enge
 @end itemize
 
 @c *********************************************************************
@@ -1533,7 +1542,7 @@ CONFIG_VIRTIO=m
 @end example
 
 After copying all the configuration options, run @code{make localmodconfig}
-again to make sure that you don't have any output starting with "module".
+again to make sure that you don't have any output starting with ``module''.
 After all of these machine specific modules there are a couple more left that
 are also needed.  @code{CONFIG_MODULES} is necessary so that you can build and
 load modules separately and not have everything built into the kernel.
diff --git a/doc/guix.texi b/doc/guix.texi
index 1fec43a228..23a30ce553 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1368,13 +1368,11 @@ source URLs.  When this option is omitted,
 This means that substitutes may be downloaded from @var{urls}, as long
 as they are signed by a trusted signature (@pxref{Substitutes}).
 
-@cindex build hook
-@item --no-build-hook
-Do not use the @dfn{build hook}.
-
-The build hook is a helper program that the daemon can start and to
-which it submits build requests.  This mechanism is used to offload
-builds to other machines (@pxref{Daemon Offload Setup}).
+@cindex offloading
+@item --no-offload
+Do not use offload builds to other machines (@pxref{Daemon Offload
+Setup}).  That is, always build things locally instead of offloading
+builds to remote machines.
 
 @item --cache-failures
 Cache build failures.  By default, only successful builds are cached.
@@ -2830,7 +2828,8 @@ $ guix package --upgrade . --do-not-upgrade emacs
 @cindex profile declaration
 @cindex profile manifest
 Create a new generation of the profile from the manifest object
-returned by the Scheme code in @var{file}.
+returned by the Scheme code in @var{file}.  This option can be repeated
+several times, in which case the manifests are concatenated.
 
 This allows you to @emph{declare} the profile's contents rather than
 constructing it through a sequence of @code{--install} and similar
@@ -4802,7 +4801,8 @@ As an example, @var{file} might contain a definition like this
 @item --manifest=@var{file}
 @itemx -m @var{file}
 Create an environment for the packages contained in the manifest object
-returned by the Scheme code in @var{file}.
+returned by the Scheme code in @var{file}.  This option can be repeated
+several times, in which case the manifests are concatenated.
 
 This is similar to the same-named option in @command{guix package}
 (@pxref{profile-manifest, @option{--manifest}}) and uses the same
@@ -5176,7 +5176,8 @@ build} (@pxref{Additional Build Options, @code{--expression} in
 @item --manifest=@var{file}
 @itemx -m @var{file}
 Use the packages contained in the manifest object returned by the Scheme
-code in @var{file}.
+code in @var{file}.  This option can be repeated several times, in which
+case the manifests are concatenated.
 
 This has a similar purpose as the same-named option in @command{guix
 package} (@pxref{profile-manifest, @option{--manifest}}) and uses the
@@ -8050,9 +8051,9 @@ the end of the build log.  This is useful when debugging build issues.
 @xref{Debugging Build Failures}, for tips and tricks on how to debug
 build issues.
 
-This option has no effect when connecting to a remote daemon with a
-@code{guix://} URI (@pxref{The Store, the @code{GUIX_DAEMON_SOCKET}
-variable}).
+This option implies @option{--no-offload}, and it has no effect when
+connecting to a remote daemon with a @code{guix://} URI (@pxref{The
+Store, the @code{GUIX_DAEMON_SOCKET} variable}).
 
 @item --keep-going
 @itemx -k
@@ -8109,10 +8110,10 @@ stashing one of the build results with @code{guix archive --export}
 (@pxref{Invoking guix archive}), then rebuilding, and finally comparing
 the two results.
 
-@item --no-build-hook
-Do not attempt to offload builds @i{via} the ``build hook'' of the daemon
-(@pxref{Daemon Offload Setup}).  That is, always build things locally
-instead of offloading builds to remote machines.
+@item --no-offload
+Do not use offload builds to other machines (@pxref{Daemon Offload
+Setup}).  That is, always build things locally instead of offloading
+builds to remote machines.
 
 @item --max-silent-time=@var{seconds}
 When the build or substitution process remains silent for more than
@@ -20359,7 +20360,7 @@ User who will own the php worker processes.
 Group of the worker processes.
 @item @code{socket-user} (default: @code{php-fpm})
 User who can speak to the php-fpm socket.
-@item @code{socket-group} (default: @code{php-fpm})
+@item @code{socket-group} (default: @code{nginx})
 Group that can speak to the php-fpm socket.
 @item @code{pid-file} (default: @code{(string-append "/var/run/php" (version-major (package-version php)) "-fpm.pid")})
 The process id of the php-fpm process is written to this file
diff --git a/etc/completion/fish/guix.fish b/etc/completion/fish/guix.fish
index 525d39679d..6582f3a186 100644
--- a/etc/completion/fish/guix.fish
+++ b/etc/completion/fish/guix.fish
@@ -133,7 +133,7 @@ complete -f -c guix -n '__fish_guix_using_command pull' -l url -d 'download the
 complete -f -c guix -n '__fish_guix_using_command pull' -l bootstrap -d 'use the bootstrap Guile to build the new Guix'
 
 #### system
-set -l remotecommands reconfigure roll-back switch-generation list-generations build container vm vm-image disk-image init extension-graph shepherd-graph load-path keep-failed keep-going dry-run fallback no-substitutes substitutes-urls no-grafts no-build-hook max-silent-time timeout verbosity rounds cores max-jobs derivation on-error image-size no-grub share expose full-boot
+set -l remotecommands reconfigure roll-back switch-generation list-generations build container vm vm-image disk-image init extension-graph shepherd-graph load-path keep-failed keep-going dry-run fallback no-substitutes substitutes-urls no-grafts no-offload max-silent-time timeout verbosity rounds cores max-jobs derivation on-error image-size no-grub share expose full-boot
 complete -f -c guix -n '__fish_guix_needs_command' -a system -d 'Build the operating system declared in FILE according to ACTION.'
 complete -f -c guix -n '__fish_guix_using_command system' -l reconfigure -d 'switch to a new operating system configuration'
 complete -f -c guix -n '__fish_guix_using_command system' -l roll-back -d 'switch to the previous operating system configuration'
@@ -156,7 +156,7 @@ complete -f -c guix -n '__fish_guix_using_command system' -l fallback -d 'fall b
 complete -f -c guix -n '__fish_guix_using_command system' -l no-substitutes -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command system' -a "--substitute-urls=" -d 'fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command system' -l no-grafts -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command system' -l no-build-hook -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command system' -l no-offload -d 'do not attempt to offload builds'
 complete -f -c guix -n '__fish_guix_using_command system' -a "--max-silent-time=" -d 'mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command system' -a "--timeout=" -d 'mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command system' -a "--verbosity=" -d 'use the given verbosity LEVEL'
@@ -174,7 +174,7 @@ complete -f -c guix -n '__fish_guix_using_command system' -a "--expose=" -d 'for
 complete -f -c guix -n '__fish_guix_using_command system' -l full-boot -d 'for \'vm\', make a full boot sequence'
 
 #### build
-set -l remotecommands expression file source sources system target derivations check repair root quiet log-file load-path keep-failed keep-going dry-run fallback no-substitutes substitute-urls no-grafts no-build-hook max-silent-time timeout verbosity rounds cores max-jobs with-source with-input with-graft
+set -l remotecommands expression file source sources system target derivations check repair root quiet log-file load-path keep-failed keep-going dry-run fallback no-substitutes substitute-urls no-grafts no-offload max-silent-time timeout verbosity rounds cores max-jobs with-source with-input with-graft
 complete -f -c guix -n '__fish_guix_needs_command' -a build -d 'Build the given PACKAGE-OR-DERIVATION and return their output paths.'
 complete -f -c guix -n '__fish_guix_using_command build' -a "--expression=" -d 'build the package or derivation EXPR evaluates to'
 complete -f -c guix -n '__fish_guix_using_command build' -s f -d 'build the package or derivation that the code within FILE evaluates to' --exclusive --arguments "(ls -ap)"
@@ -201,7 +201,7 @@ complete -f -c guix -n '__fish_guix_using_command build' -l fallback -d 'fall ba
 complete -f -c guix -n '__fish_guix_using_command build' -l no-substitutes -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command build' -a "--substitute-urls=" -d 'fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command build' -l no-grafts -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command build' -l no-build-hook -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command build' -l no-offload -d 'do not attempt to offload builds'
 complete -f -c guix -n '__fish_guix_using_command build' -a "--max-silent-time=" -d 'mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command build' -a "--timeout=" -d 'mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command build' -a "--verbosity=" -d 'use the given verbosity LEVEL'
@@ -215,7 +215,7 @@ complete -f -c guix -n '__fish_guix_using_command build' -a "--with-input=" -d '
 complete -f -c guix -n '__fish_guix_using_command build' -a "--with-graft=" -d 'PACKAGE=REPLACEMENT .. graft REPLACEMENT on packages that refer to PACKAGE'
 
 #### package
-set -l remotecommands install install-from-expression install-from-file remove upgrade manifest do-no-upgrade roll-back search-paths list-generations delete-generations switch-generation profile bootstrap verbose search list-installed list-available show load-path keep-failed keep-going dry-run fallback no.substitutes substitute-urls no-grafts no-build-hook max-silent-time timenout verbosity rounds cores max-jobs with-source with-input with-graft
+set -l remotecommands install install-from-expression install-from-file remove upgrade manifest do-no-upgrade roll-back search-paths list-generations delete-generations switch-generation profile bootstrap verbose search list-installed list-available show load-path keep-failed keep-going dry-run fallback no.substitutes substitute-urls no-grafts no-offload max-silent-time timenout verbosity rounds cores max-jobs with-source with-input with-graft
 complete -f -c guix -n '__fish_guix_needs_command' -a package -d 'Install, remove, or upgrade packages in a single transaction.'
 complete -f -c guix -n '__fish_guix_using_command package' -s i -l install -d 'install PACKAGEs'
 complete -f -c guix -n '__fish_guix_using_command package' -s e -d 'install the package EXP evaluates to'
@@ -252,7 +252,7 @@ complete -f -c guix -n '__fish_guix_using_command package' -l fallback -d 'fall
 complete -f -c guix -n '__fish_guix_using_command package' -l no-substitutes -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command package' -a "--substitute-urls=" -d 'URLS fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command package' -l no-grafts -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command package' -l no-build-hook -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command package' -l no-offload -d 'do not attempt to offload builds'
 complete -f -c guix -n '__fish_guix_using_command package' -a "--max-silent-time=" -d 'SECONDS mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command package' -a "--timeout=" -d 'SECONDS mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command package' -a "--verbosity=" -d 'LEVEL use the given verbosity LEVEL'
@@ -391,7 +391,7 @@ complete -f -c guix -n '__fish_guix_using_command gc' -l list-failures -d 'list
 complete -f -c guix -n '__fish_guix_using_command gc' -l clear-failures -d 'remove PATHS from the set of cached failures'
 
 #### environment
-set -l remotecommands expression load ad-hoc pure search-paths system root container network share expose bootstrap load-path keep-failed keep-going dry-run fallback no-substitutes substitute-urls no-grafts no-build-hook max-silent-time timeout verbosity rounds cores max-jobs
+set -l remotecommands expression load ad-hoc pure search-paths system root container network share expose bootstrap load-path keep-failed keep-going dry-run fallback no-substitutes substitute-urls no-grafts no-offload max-silent-time timeout verbosity rounds cores max-jobs
 complete -f -c guix -n '__fish_guix_needs_command' -a environment -d 'Build an environment that includes the dependencies of PACKAGE and execute COMMAND or an interactive shell in that environment.'
 complete -f -c guix -n '__fish_guix_using_command environment' -s e -d 'Create environment for the package that EXPR evaluates to'
 complete -f -c guix -n '__fish_guix_using_command environment' -a "--expression=" -d 'Create environment for the package that EXPR evaluates to'
@@ -418,7 +418,7 @@ complete -f -c guix -n '__fish_guix_using_command environment' -l fallback -d 'f
 complete -f -c guix -n '__fish_guix_using_command environment' -l no-substitutes -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command environment' -a "--substitute-urls=" -d 'fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command environment' -l no-grafts -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command environment' -l no-build-hook -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command environment' -l no-offload -d 'do not attempt to offload builds'
 complete -f -c guix -n '__fish_guix_using_command environment' -a "--max-silent-time=" -d 'mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command environment' -a "--timeout=" -d 'mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command environment' -a "--verbosity=" -d 'use the given verbosity LEVEL'
@@ -432,7 +432,7 @@ complete -f -c guix -n '__fish_guix_using_command environment' -a "--max-jobs="
 complete -f -c guix -n '__fish_guix_needs_command' -a edit -d 'Start $VISUAL or $EDITOR to edit the definitions of PACKAGE.'
 
 #### copy
-set -l remotecommands to= from= load-path= keep-failed keep-going dry-run fallback no-substitutes substitute-urls= no-grafts no-build-hook max-silent-time= timeout= verbosity= rounds= cores= max-jobs=
+set -l remotecommands to= from= load-path= keep-failed keep-going dry-run fallback no-substitutes substitute-urls= no-grafts no-offload max-silent-time= timeout= verbosity= rounds= cores= max-jobs=
 complete -f -c guix -n '__fish_guix_needs_command' -a copy -d 'Copy ITEMS to or from the specified host over SSH.'
 complete -f -c guix -n '__fish_guix_using_command copy' -a "--to=" -d 'send ITEMS to HOST'
 complete -f -c guix -n '__fish_guix_using_command copy' -a "--from=" -d 'receive ITEMS from HOST'
@@ -445,7 +445,7 @@ complete -f -c guix -n '__fish_guix_using_command copy' -l fallback -d 'fall bac
 complete -f -c guix -n '__fish_guix_using_command copy' -l no-substitutes -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command copy' -a "--substitute-urls=" -d 'fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command copy' -l no-grafts -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command copy' -l no-build-hook -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command copy' -l no-offload -d 'do not attempt to offload builds'
 complete -f -c guix -n '__fish_guix_using_command copy' -a "--max-silent-time=" -d 'mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command copy' -a "--timeout=" -d 'mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command copy' -a "--verbosity=" -d 'use the given verbosity LEVEL'
@@ -467,7 +467,7 @@ complete -f -c guix -n '__fish_guix_using_command challenge' -a "--substitute-ur
 complete -f -c guix -n '__fish_guix_using_command challenge' -s v -l verbose -d 'show details about successful comparisons'
 
 #### archive
-set -l remotecommands export format= recursive import missing extract= generate-key authorize expression= source system= target= load-path= keep-failed keep-going dry-run fallback no-substitutes substitute-urls= no-grafts no-build-hook max-silent-time= timeout= verbosity= rounds= cores= max-jobs=
+set -l remotecommands export format= recursive import missing extract= generate-key authorize expression= source system= target= load-path= keep-failed keep-going dry-run fallback no-substitutes substitute-urls= no-grafts no-offload max-silent-time= timeout= verbosity= rounds= cores= max-jobs=
 complete -f -c guix -n '__fish_guix_needs_command' -a archive -d 'Export/import one or more packages from/to the store.'
 complete -f -c guix -n '__fish_guix_using_command archive' -l export -d 'export the specified files/packages to stdout'
 complete -f -c guix -n '__fish_guix_using_command archive' -a "--format=" -d 'export files/packages in the specified format FMT'
@@ -489,7 +489,7 @@ complete -f -c guix -n '__fish_guix_using_command archive' -l fallback -d 'fall
 complete -f -c guix -n '__fish_guix_using_command archive' -l no-substitutes -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command archive' -a "--substitute-urls=" -d 'fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command archive' -l no-grafts -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command archive' -l no-build-hook -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command archive' -l no-offload -d 'do not attempt to offload builds'
 complete -f -c guix -n '__fish_guix_using_command archive' -a "--max-silent-time=" -d 'mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command archive' -a "--timeout=" -f -d 'mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command archive' -a "--verbosity=" -d 'use the given verbosity LEVEL'
@@ -498,7 +498,7 @@ complete -f -c guix -n '__fish_guix_using_command archive' -a "--cores=" -d 'all
 complete -f -c guix -n '__fish_guix_using_command archive' -a "--max-jobs=" -d 'allow at most N build jobs'
 
 #### pack
-set -l remotecommands --load-path= --keep-failed --keep-going --dry-run --fallback --no-substitutes --substitute-urls= --no-grafts --no-build-hook --max-silent-time= --timeout= --verbosity= --rounds= --cores= --max-jobs= --with-source= --with-input= --with-graft= --format= --expression= --system= --target= --compression= --symlink= --localstatedir --help --version
+set -l remotecommands --load-path= --keep-failed --keep-going --dry-run --fallback --no-substitutes --substitute-urls= --no-grafts --no-offload --max-silent-time= --timeout= --verbosity= --rounds= --cores= --max-jobs= --with-source= --with-input= --with-graft= --format= --expression= --system= --target= --compression= --symlink= --localstatedir --help --version
 complete -f -c guix -n '__fish_guix_needs_command' -a pack -d 'Create a bundle of PACKAGE.'
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--load-path=" -d 'prepend DIR to the package module search path'
 complete -f -c guix -n '__fish_guix_using_command pack' -s L -d 'prepend DIR to the package module search path'
@@ -512,7 +512,7 @@ complete -f -c guix -n '__fish_guix_using_command pack' -a "--fallback" -d 'fall
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--no-substitutes" -d 'build instead of resorting to pre-built substitutes'
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--substitute-urls=" -d 'fetch substitute from URLS if they are authorized'
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--no-grafts" -d 'do not graft packages'
-complete -f -c guix -n '__fish_guix_using_command pack' -a "--no-build-hook" -d 'do not attempt to offload builds via the build hook'
+complete -f -c guix -n '__fish_guix_using_command pack' -a "--no-offload" -d 'do not attempt to offload builds via the build hook'
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--max-silent-time=" -d 'mark the build as failed after SECONDS of silence'
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--timeout=" -d 'mark the build as failed after SECONDS of activity'
 complete -f -c guix -n '__fish_guix_using_command pack' -a "--verbosity=" -d 'use the given verbosity LEVEL'
diff --git a/etc/completion/zsh/_guix b/etc/completion/zsh/_guix
index 3760bb629b..ae93b62b1d 100644
--- a/etc/completion/zsh/_guix
+++ b/etc/completion/zsh/_guix
@@ -87,7 +87,7 @@ _guix_list_installed_packages()
         '--no-substitutes[build instead of resorting to pre-built substitutes]' \
         '--substitute-urls=[fetch substitute from URLS if they are authorized]:URLS:_urls' \
         '--no-grafts[do not graft packages]' \
-        '--no-build-hook[do not attempt to offload builds via the build hook]' \
+        '--no-offload[do not attempt to offload builds]' \
         '--max-silent-time=[mark the build as failed after SECONDS of silence]:SECONDS' \
         '--timeout=[mark the build as failed after SECONDS of activity]:SECONDS' \
         '--verbosity=[use the given verbosity LEVEL]:LEVEL' \
@@ -158,7 +158,7 @@ _guix_list_installed_packages()
         '--no-substitutes[build instead of resorting to pre-built substitutes]' \
         '--substitute-urls=[fetch substitute from URLS if they are authorized]:URLS:_urls' \
         '--no-grafts[do not graft packages]' \
-        '--no-build-hook[do not attempt to offload builds via the build hook]' \
+        '--no-offload[do not attempt to offload builds]' \
         '--max-silent-time=[mark the build as failed after SECONDS of silence]:SECONDS' \
         '--timeout=[mark the build as failed after SECONDS of activity]:SECONDS' \
         '--verbosity=[use the given verbosity LEVEL]:LEVEL' \
@@ -282,7 +282,7 @@ _guix_list_installed_packages()
         '--no-substitutes[build instead of resorting to pre-built substitutes]' \
         '--substitute-urls=[fetch substitute from URLS if they are authorized]:URLS:_urls' \
         '--no-grafts[do not graft packages]' \
-        '--no-build-hook[do not attempt to offload builds via the build hook]' \
+        '--no-offload[do not attempt to offload builds]' \
         '--max-silent-time=[mark the build as failed after SECONDS of silence]:SECONDS' \
         '--timeout=[mark the build as failed after SECONDS of activity]:SECONDS' \
         '--verbosity=[use the given verbosity LEVEL]:LEVEL' \
@@ -374,7 +374,7 @@ _guix_list_installed_packages()
         '--no-substitutes[build instead of resorting to pre-built substitutes]' \
         '--substitute-urls=[fetch substitute from URLS if they are authorized]:URL:_urls' \
         '--no-grafts[do not graft packages]' \
-        '--no-build-hook[do not attempt to offload builds via the build hook]' \
+        '--no-offload[do not attempt to offload builds]' \
         '--max-silent-time=[mark the build as failed after SECONDS of silence]:SECONDS' \
         '--timeout=[mark the build as failed after SECONDS of activity]:SECONDS' \
         '--verbosity=[use the given verbosity LEVEL]:LEVEL' \
diff --git a/gnu/build/vm.scm b/gnu/build/vm.scm
index a5d9fefa62..6f920aec9e 100644
--- a/gnu/build/vm.scm
+++ b/gnu/build/vm.scm
@@ -82,6 +82,7 @@
                            make-disk-image?
                            single-file-output?
                            target-arm32?
+                           target-aarch64?
                            (disk-image-size (* 100 (expt 2 20)))
                            (disk-image-format "qcow2")
                            (references-graphs '()))
@@ -97,16 +98,28 @@ access it via /dev/hda.
 REFERENCES-GRAPHS can specify a list of reference-graph files as produced by
 the #:references-graphs parameter of 'derivation'."
 
+  (define target-arm? (or target-arm32? target-aarch64?))
+
   (define arch-specific-flags
     `(;; On ARM, a machine has to be specified. Use "virt" machine to avoid
       ;; hardware limits imposed by other machines.
-      ,@(if target-arm32? '("-M" "virt") '())
+      ,@(if target-arm?
+            '("-M" "virt")
+            '())
+
+      ;; On ARM32, if the kernel is built without LPAE support, ECAM conflicts
+      ;; with VIRT_PCIE_MMIO causing PCI devices not to show up.  Disable
+      ;; explicitely highmem to fix it.
+      ;; See: https://bugs.launchpad.net/qemu/+bug/1790975.
+      ,@(if target-arm32?
+            '("-machine" "highmem=off")
+            '())
 
       ;; Only enable kvm if we see /dev/kvm exists.  This allows users without
       ;; hardware virtualization to still use these commands.  KVM support is
-      ;; still buggy on some ARM32 boards. Do not use it even if available.
+      ;; still buggy on some ARM boards. Do not use it even if available.
       ,@(if (and (file-exists? "/dev/kvm")
-                 (not target-arm32?))
+                 (not target-arm?))
             '("-enable-kvm")
             '())
 
@@ -117,11 +130,11 @@ the #:references-graphs parameter of 'derivation'."
                       ;; The serial port name differs between emulated
                       ;; architectures/machines.
                       " console="
-                      (if target-arm32? "ttyAMA0" "ttyS0"))
+                      (if target-arm? "ttyAMA0" "ttyS0"))
 
       ;; NIC is not supported on ARM "virt" machine, so use a user mode
       ;; network stack instead.
-      ,@(if target-arm32?
+      ,@(if target-arm?
             '("-device" "virtio-net-pci,netdev=mynet"
               "-netdev" "user,id=mynet")
             '("-net" "nic,model=virtio"))))
@@ -145,7 +158,9 @@ the #:references-graphs parameter of 'derivation'."
     (_ #f))
 
   (apply invoke qemu "-nographic" "-no-reboot"
-         "-smp" (number->string (parallel-job-count))
+         ;; CPU "max" behaves as "host" when KVM is enabled, and like a system
+         ;; CPU with the maximum possible feature set otherwise.
+         "-cpu" "max"
          "-m" (number->string memory-size)
          "-object" "rng-random,filename=/dev/urandom,id=guixsd-vm-rng"
          "-device" "virtio-rng-pci,rng=guixsd-vm-rng"
diff --git a/gnu/local.mk b/gnu/local.mk
index e2c5884ff1..feb7343ba9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -826,6 +826,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/fbreader-curl-7.62.patch		\
   %D%/packages/patches/fcgi-2.4.0-gcc44-fixes.patch		\
   %D%/packages/patches/fcgi-2.4.0-poll.patch			\
+  %D%/packages/patches/feh-fix-tests-for-imlib2-1.6.patch	\
   %D%/packages/patches/fifo-map-fix-flags-for-gcc.patch		\
   %D%/packages/patches/fifo-map-remove-catch.hpp.patch		\
   %D%/packages/patches/file-CVE-2018-10360.patch		\
@@ -1079,6 +1080,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch	\
   %D%/packages/patches/libreoffice-icu.patch			\
   %D%/packages/patches/libreoffice-glm.patch			\
+  %D%/packages/patches/libseccomp-open-aarch64.patch		\
   %D%/packages/patches/libsndfile-armhf-type-checks.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8361-8363-8365.patch	\
   %D%/packages/patches/libsndfile-CVE-2017-8362.patch		\
@@ -1218,6 +1220,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/p7zip-CVE-2016-9296.patch		\
   %D%/packages/patches/p7zip-CVE-2017-17969.patch		\
   %D%/packages/patches/p7zip-remove-unused-code.patch		\
+  %D%/packages/patches/pam-mount-luks2-support.patch		\
   %D%/packages/patches/patchutils-test-perms.patch		\
   %D%/packages/patches/patch-hurd-path-max.patch		\
   %D%/packages/patches/pcre2-fix-jit_match-crash.patch		\
@@ -1466,7 +1469,12 @@ dist_patch_DATA =						\
   %D%/packages/patches/xfce4-panel-plugins.patch		\
   %D%/packages/patches/xfce4-settings-defaults.patch		\
   %D%/packages/patches/xinetd-fix-fd-leak.patch			\
-  %D%/packages/patches/xinetd-CVE-2013-4342.patch
+  %D%/packages/patches/xinetd-CVE-2013-4342.patch		\
+  %D%/packages/patches/xsane-fix-memory-leak.patch		\
+  %D%/packages/patches/xsane-fix-pdf-floats.patch		\
+  %D%/packages/patches/xsane-fix-snprintf-buffer-length.patch	\
+  %D%/packages/patches/xsane-support-ipv6.patch			\
+  %D%/packages/patches/xsane-tighten-default-umask.patch
 
 MISC_DISTRO_FILES =				\
   %D%/packages/ld-wrapper.in
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 761b26a8d6..d838c81717 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm