diff --git a/doc/package-notes.xml b/doc/package-notes.xml
index e1aea62f784..4d87a3a67fe 100644
--- a/doc/package-notes.xml
+++ b/doc/package-notes.xml
@@ -477,32 +477,18 @@ it. Place the resulting <filename>package.nix</filename> file into
 
   <varlistentry>
   <term>Using the FOSS Radeon or nouveau (nvidia) drivers</term>
-  <listitem><itemizedlist><listitem><para>
-  Both the open source radeon drivers as well as the nouveau drivers (nvidia)
-  need a newer libc++ than is provided by the default runtime, which leads to a
-  crash on launch. Use <programlisting>environment.systemPackages =
-  [(pkgs.steam.override { newStdcpp = true; })];</programlisting> in your config
-  if you get an error like
-  <programlisting>
-libGL error: unable to load driver: radeonsi_dri.so
-libGL error: driver pointer missing
-libGL error: failed to load driver: radeonsi
-libGL error: unable to load driver: swrast_dri.so
-libGL error: failed to load driver: swrast</programlisting>
-  or
-  <programlisting>
-libGL error: unable to load driver: nouveau_dri.so
-libGL error: driver pointer missing
-libGL error: failed to load driver: nouveau
-libGL error: unable to load driver: swrast_dri.so
-libGL error: failed to load driver: swrast</programlisting></para></listitem>
-  <listitem><para>
-  Steam ships statically linked with a version of libcrypto that
-  conflics with the one dynamically loaded by radeonsi_dri.so.
-  If you get the error
-  <programlisting>steam.sh: line 713: 7842 Segmentation fault (core dumped)</programlisting>
-  have a look at <link xlink:href="https://github.com/NixOS/nixpkgs/pull/20269">this pull request</link>.
-  </para></listitem>
+  <listitem><itemizedlist>
+    <listitem><para>The <literal>newStdcpp</literal> parameter
+    was removed since NixOS 17.09 and should not be needed anymore.
+    </para></listitem>
+
+    <listitem><para>
+    Steam ships statically linked with a version of libcrypto that
+    conflics with the one dynamically loaded by radeonsi_dri.so.
+    If you get the error
+    <programlisting>steam.sh: line 713: 7842 Segmentation fault (core dumped)</programlisting>
+    have a look at <link xlink:href="https://github.com/NixOS/nixpkgs/pull/20269">this pull request</link>.
+    </para></listitem>
 
   </itemizedlist></listitem></varlistentry>
 
diff --git a/nixos/doc/manual/release-notes/release-notes.xml b/nixos/doc/manual/release-notes/release-notes.xml
index 6065a86f60d..5ed56bde665 100644
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@@ -9,6 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
 
+<xi:include href="rl-1803.xml" />
 <xi:include href="rl-1709.xml" />
 <xi:include href="rl-1703.xml" />
 <xi:include href="rl-1609.xml" />
diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml
index c951934e623..1d6e693f83c 100644
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@@ -289,6 +289,52 @@ FLUSH PRIVILEGES;
       in them being reloaded.
     </para>
   </listitem>
+
+  <listitem>
+    <para>
+      <literal>services.mysqlBackup</literal> now works by default
+      without any user setup, including for users other than
+      <literal>mysql</literal>.
+    </para>
+
+    <para>
+      By default, the <literal>mysql</literal> user is no longer the
+      user which performs the backup. Instead a system account
+      <literal>mysqlbackup</literal> is used.
+    </para>
+
+    <para>
+      The <literal>mysqlBackup</literal> service is also now using
+      systemd timers instead of <literal>cron</literal>.
+    </para>
+
+    <para>
+      Therefore, the <literal>services.mysqlBackup.period</literal>
+      option no longer exists, and has been replaced with
+      <literal>services.mysqlBackup.calendar</literal>, which is in
+      the format of <link
+      xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events">systemd.time(7)</link>.
+    </para>
+
+    <para>
+      If you expect to be sent an e-mail when the backup fails,
+      consider using a script which monitors the systemd journal for
+      errors. Regretfully, at present there is no built-in
+      functionality for this.
+    </para>
+
+    <para>
+      You can check that backups still work by running
+      <command>systemctl start mysql-backup</command> then
+      <command>systemctl status mysql-backup</command>.
+    </para>
+  </listitem>
+
+  <listitem>
+    <para>Steam: the <literal>newStdcpp</literal> parameter
+    was removed and should not be needed anymore.</para>
+  </listitem>
+
 </itemizedlist>
 
 <para>Other notable improvements:</para>
@@ -344,7 +390,7 @@ FLUSH PRIVILEGES;
   </listitem>
   <listitem>
     <para>
-      Definitions for <filename>/etc/hosts</filename> can now be sped
+      Definitions for <filename>/etc/hosts</filename> can now be specified
       declaratively with <literal>networking.hosts</literal>.
     </para>
   </listitem>
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
index ce05cde7b08..7acc689ed11 100644
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -29,8 +29,7 @@ following incompatible changes:</para>
 
 <itemizedlist>
   <listitem>
-    <para>
-    </para>
+    <para></para>
   </listitem>
 </itemizedlist>
 
diff --git a/nixos/modules/services/backup/mysql-backup.nix b/nixos/modules/services/backup/mysql-backup.nix
index 28f607861f7..3f533fa457d 100644
--- a/nixos/modules/services/backup/mysql-backup.nix
+++ b/nixos/modules/services/backup/mysql-backup.nix
@@ -6,10 +6,28 @@ let
 
   inherit (pkgs) mysql gzip;
 
-  cfg = config.services.mysqlBackup ;
-  location = cfg.location ;
-  mysqlBackupCron = db : ''
-    ${cfg.period} ${cfg.user} ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > ${location}/${db}.gz
+  cfg = config.services.mysqlBackup;
+  defaultUser = "mysqlbackup";
+
+  backupScript = ''
+    set -o pipefail
+    failed=""
+    ${concatMapStringsSep "\n" backupDatabaseScript cfg.databases}
+    if [ -n "$failed" ]; then
+      echo "Backup of database(s) failed:$failed"
+      exit 1
+    fi
+  '';
+  backupDatabaseScript = db: ''
+    dest="${cfg.location}/${db}.gz"
+    if ${mysql}/bin/mysqldump ${if cfg.singleTransaction then "--single-transaction" else ""} ${db} | ${gzip}/bin/gzip -c > $dest.tmp; then
+      mv $dest.tmp $dest
+      echo "Backed up to $dest"
+    else
+      echo "Failed to back up to $dest"
+      rm -f $dest.tmp
+      failed="$failed ${db}"
+    fi
   '';
 
 in
@@ -26,17 +44,16 @@ in
         '';
       };
 
-      period = mkOption {
-        default = "15 01 * * *";
+      calendar = mkOption {
+        type = types.str;
+        default = "01:15:00";
         description = ''
-          This option defines (in the format used by cron) when the
-          databases should be dumped.
-          The default is to update at 01:15 (at night) every day.
+          Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
         '';
       };
 
       user = mkOption {
-        default = "mysql";
+        default = defaultUser;
         description = ''
           User to be used to perform backup.
         '';
@@ -66,16 +83,49 @@ in
 
   };
 
-  config = mkIf config.services.mysqlBackup.enable {
+  config = mkIf cfg.enable {
+    users.extraUsers = optionalAttrs (cfg.user == defaultUser) (singleton
+      { name = defaultUser;
+        isSystemUser = true;
+        createHome = false;
+        home = cfg.location;
+        group = "nogroup";
+      });
 
-    services.cron.systemCronJobs = map mysqlBackupCron config.services.mysqlBackup.databases;
-
-    system.activationScripts.mysqlBackup = stringAfter [ "stdio" "users" ]
-      ''
-        mkdir -m 0700 -p ${config.services.mysqlBackup.location}
-        chown ${config.services.mysqlBackup.user} ${config.services.mysqlBackup.location}
-      '';
+    services.mysql.ensureUsers = [{
+      name = cfg.user;
+      ensurePermissions = with lib;
+        let
+          privs = "SELECT, SHOW VIEW, TRIGGER, LOCK TABLES";
+          grant = db: nameValuePair "${db}.*" privs;
+        in
+          listToAttrs (map grant cfg.databases);
+    }];
 
+    systemd = {
+      timers."mysql-backup" = {
+        description = "Mysql backup timer";
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = cfg.calendar;
+          AccuracySec = "5m";
+          Unit = "mysql-backup.service";
+        };
+      };
+      services."mysql-backup" = {
+        description = "Mysql backup service";
+        enable = true;
+        serviceConfig = {
+          User = cfg.user;
+          PermissionsStartOnly = true;
+        };
+        preStart = ''
+          mkdir -m 0700 -p ${cfg.location}
+          chown -R ${cfg.user} ${cfg.location}
+        '';
+        script = backupScript;
+      };
+    };
   };
 
 }
diff --git a/nixos/modules/services/mail/spamassassin.nix b/nixos/modules/services/mail/spamassassin.nix
index fc8396cd85e..d483a8c3d67 100644
--- a/nixos/modules/services/mail/spamassassin.nix
+++ b/nixos/modules/services/mail/spamassassin.nix
@@ -42,7 +42,7 @@ in
 
           Then you can Use this sieve filter:
             require ["fileinto", "reject", "envelope"];
-            
+
             if header :contains "X-Spam-Flag" "YES" {
               fileinto "spam";
             }
@@ -67,11 +67,11 @@ in
       initPreConf = mkOption {
         type = types.str;
         description = "The SpamAssassin init.pre config.";
-        default = 
-        ''          
+        default =
+        ''
           #
           # to update this list, run this command in the rules directory:
-          # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq     
+          # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq
           #
 
           #loadplugin Mail::SpamAssassin::Plugin::AccessDB
@@ -122,7 +122,11 @@ in
   config = mkIf cfg.enable {
 
     # Allow users to run 'spamc'.
-    environment.systemPackages = [ pkgs.spamassassin ];
+
+    environment = {
+      etc = singleton { source = spamdEnv; target = "spamassassin"; };
+      systemPackages = [ pkgs.spamassassin ];
+    };
 
     users.extraUsers = singleton {
       name = "spamd";
@@ -138,7 +142,7 @@ in
 
     systemd.services.sa-update = {
       script = ''
-        set +e 
+        set +e
         ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/ --siteconfigpath=${spamdEnv}/" spamd
 
         v=$?
@@ -153,7 +157,7 @@ in
       '';
     };
 
-    systemd.timers.sa-update = { 
+    systemd.timers.sa-update = {
       description = "sa-update-service";
       partOf      = [ "sa-update.service" ];
       wantedBy    = [ "timers.target" ];
@@ -177,15 +181,10 @@ in
       # 0 and 1 no error, exitcode > 1 means error:
       # https://spamassassin.apache.org/full/3.1.x/doc/sa-update.html#exit_codes
       preStart = ''
-        # this abstraction requires no centralized config at all
-        if [ -d /etc/spamassassin ]; then
-          echo "This spamassassin does not support global '/etc/spamassassin' folder for configuration as this would be impure. Merge your configs into 'services.spamassassin' and remove the '/etc/spamassassin' folder to make this service work. Also see 'https://github.com/NixOS/nixpkgs/pull/26470'."; 
-          exit 1
-        fi
         echo "Recreating '/var/lib/spamasassin' with creating '3.004001' (or similar) and 'sa-update-keys'"
         mkdir -p /var/lib/spamassassin
         chown spamd:spamd /var/lib/spamassassin -R
-        set +e 
+        set +e
         ${pkgs.su}/bin/su -s "${pkgs.bash}/bin/bash" -c "${pkgs.spamassassin}/bin/sa-update --gpghomedir=/var/lib/spamassassin/sa-update-keys/ --siteconfigpath=${spamdEnv}/" spamd
         v=$?
         set -e
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index bf1304ee7ac..efa3b5b6bd7 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -428,7 +428,7 @@ in
         fi
       '';
 
-    nix.nrBuildUsers = mkDefault (lib.max 10 cfg.maxJobs);
+    nix.nrBuildUsers = mkDefault (lib.max 32 cfg.maxJobs);
 
     users.extraUsers = nixbldUsers;
 
diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix
index d5db328310c..0354e76d74f 100644
--- a/nixos/modules/services/networking/tinc.nix
+++ b/nixos/modules/services/networking/tinc.nix
@@ -141,7 +141,6 @@ in
               ${optionalString (data.ed25519PrivateKeyFile != null) "Ed25519PrivateKeyFile = ${data.ed25519PrivateKeyFile}"}
               ${optionalString (data.listenAddress != null) "ListenAddress = ${data.listenAddress}"}
               ${optionalString (data.bindToAddress != null) "BindToAddress = ${data.bindToAddress}"}
-              Device = /dev/net/tun
               Interface = tinc.${network}
               ${data.extraConfig}
             '';
@@ -168,6 +167,7 @@ in
           Type = "simple";
           Restart = "always";
           RestartSec = "3";
+          ExecStart = "${data.package}/bin/tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}";
         };
         preStart = ''
           mkdir -p /etc/tinc/${network}/hosts
@@ -187,9 +187,6 @@ in
             [ -f "/etc/tinc/${network}/rsa_key.priv" ] || tincd -n ${network} -K 4096
           fi
         '';
-        script = ''
-          tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}
-        '';
       })
     );
 
diff --git a/nixos/release.nix b/nixos/release.nix
index ac7755a160f..06f1c73410c 100644
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -283,6 +283,7 @@ in rec {
   tests.mumble = callTest tests/mumble.nix {};
   tests.munin = callTest tests/munin.nix {};
   tests.mysql = callTest tests/mysql.nix {};
+  tests.mysqlBackup = callTest tests/mysql-backup.nix {};
   tests.mysqlReplication = callTest tests/mysql-replication.nix {};
   tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
   tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; };
diff --git a/nixos/tests/mysql-backup.nix b/nixos/tests/mysql-backup.nix
new file mode 100644
index 00000000000..f5bcc460cba
--- /dev/null
+++ b/nixos/tests/mysql-backup.nix
@@ -0,0 +1,42 @@
+# Test whether mysqlBackup option works
+import ./make-test.nix ({ pkgs, ... } : {
+  name = "mysql-backup";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ rvl ];
+  };
+
+  nodes = {
+    master = { config, pkgs, ... }: {
+      services.mysql = {
+        enable = true;
+        initialDatabases = [ { name = "testdb"; schema = ./testdb.sql; } ];
+        package = pkgs.mysql;
+      };
+
+      services.mysqlBackup = {
+        enable = true;
+        databases = [ "doesnotexist" "testdb" ];
+      };
+    };
+  };
+
+  testScript =
+    '' startAll;
+
+       # Need to have mysql started so that it can be populated with data.
+       $master->waitForUnit("mysql.service");
+
+       # Wait for testdb to be populated.
+       $master->sleep(10);
+
+       # Do a backup and wait for it to finish.
+       $master->startJob("mysql-backup.service");
+       $master->waitForJob("mysql-backup.service");
+
+       # Check that data appears in backup
+       $master->succeed("${pkgs.gzip}/bin/zcat /var/backup/mysql/testdb.gz | grep hello");
+
+       # Check that a failed backup is logged
+       $master->succeed("journalctl -u mysql-backup.service | grep 'fail.*doesnotexist' > /dev/null");
+    '';
+})
diff --git a/nixos/tests/testdb.sql b/nixos/tests/testdb.sql
index 4fb28fea3df..3c68c49ae82 100644
--- a/nixos/tests/testdb.sql
+++ b/nixos/tests/testdb.sql
@@ -8,3 +8,4 @@ insert into tests values (1, 'a');
 insert into tests values (2, 'b');
 insert into tests values (3, 'c');
 insert into tests values (4, 'd');
+insert into tests values (5, 'hello');
diff --git a/pkgs/applications/editors/vim/common.nix b/pkgs/applications/editors/vim/common.nix
index 1d661014c77..18e1df4575d 100644
--- a/pkgs/applications/editors/vim/common.nix
+++ b/pkgs/applications/editors/vim/common.nix
@@ -1,12 +1,12 @@
 { lib, fetchFromGitHub }:
 rec {
-  version = "8.0.0442";
+  version = "8.0.1150";
 
   src = fetchFromGitHub {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    sha256 = "1pyyrkb7k5vhm1ijrh4v2f50lxhrgga5mm0gvmz4v704z0h585yg";
+    sha256 = "1k1qkmb2jbymqikrp99q1yjagdf508xzabrw7b08dlh926b2v23j";
   };
 
   enableParallelBuilding = true;
diff --git a/pkgs/applications/networking/browsers/firefox/no-buildconfig.patch b/pkgs/applications/networking/browsers/firefox/no-buildconfig.patch
new file mode 100644
index 00000000000..83f9a1329be
--- /dev/null
+++ b/pkgs/applications/networking/browsers/firefox/no-buildconfig.patch
@@ -0,0 +1,25 @@
+diff -ru -x '*~' firefox-55.0.3-orig/docshell/base/nsAboutRedirector.cpp firefox-55.0.3/docshell/base/nsAboutRedirector.cpp
+--- firefox-55.0.3-orig/docshell/base/nsAboutRedirector.cpp	2017-07-31 18:20:51.000000000 +0200
++++ firefox-55.0.3/docshell/base/nsAboutRedirector.cpp	2017-09-26 22:02:00.814151731 +0200
+@@ -40,10 +40,6 @@
+     nsIAboutModule::ALLOW_SCRIPT
+   },
+   {
+-    "buildconfig", "chrome://global/content/buildconfig.html",
+-    nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT
+-  },
+-  {
+     "checkerboard", "chrome://global/content/aboutCheckerboard.xhtml",
+     nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
+       nsIAboutModule::ALLOW_SCRIPT
+diff -ru -x '*~' firefox-55.0.3-orig/toolkit/content/jar.mn firefox-55.0.3/toolkit/content/jar.mn
+--- firefox-55.0.3-orig/toolkit/content/jar.mn	2017-07-31 18:20:52.000000000 +0200
++++ firefox-55.0.3/toolkit/content/jar.mn	2017-09-26 22:01:42.383350314 +0200
+@@ -40,7 +40,6 @@
+    content/global/plugins.css
+    content/global/browser-child.js
+    content/global/browser-content.js
+-*   content/global/buildconfig.html
+    content/global/contentAreaUtils.js
+ #ifndef MOZ_FENNEC
+    content/global/customizeToolbar.css
diff --git a/pkgs/applications/networking/browsers/firefox/packages.nix b/pkgs/applications/networking/browsers/firefox/packages.nix
index 83eb563a8e7..e2a8e201fef 100644
--- a/pkgs/applications/networking/browsers/firefox/packages.nix
+++ b/pkgs/applications/networking/browsers/firefox/packages.nix
@@ -12,10 +12,12 @@ rec {
       sha512 = "3cacc87b97871f3a8c5e97c17ef7025079cb5c81f32377d9402cdad45815ac6c4c4762c79187f1e477910161c2377c42d41de62a50b6741d5d7c1cd70e8c6416";
     };
 
-    patches = lib.optional stdenv.isi686 (fetchpatch {
-      url = "https://hg.mozilla.org/mozilla-central/raw-rev/15517c5a5d37";
-      sha256 = "1ba487p3hk4w2w7qqfxgv1y57vp86b8g3xhav2j20qd3j3phbbn7";
-    });
+    patches =
+      [ ./no-buildconfig.patch ]
+      ++ lib.optional stdenv.isi686 (fetchpatch {
+        url = "https://hg.mozilla.org/mozilla-central/raw-rev/15517c5a5d37";
+        sha256 = "1ba487p3hk4w2w7qqfxgv1y57vp86b8g3xhav2j20qd3j3phbbn7";
+      });
 
     meta = {
       description = "A web browser built from Firefox source tree";
diff --git a/pkgs/applications/networking/browsers/firefox/wrapper.nix b/pkgs/applications/networking/browsers/firefox/wrapper.nix
index 1dd5c9191f0..2413f1cfdca 100644
--- a/pkgs/applications/networking/browsers/firefox/wrapper.nix
+++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix
@@ -129,6 +129,8 @@ in stdenv.mkDerivation {
 
   passthru = { unwrapped = browser; };
 
+  disallowedRequisites = [ stdenv.cc ];
+
   meta = browser.meta // {
     description =
       browser.meta.description
diff --git a/pkgs/applications/networking/browsers/tor-browser-bundle/default.nix b/pkgs/applications/networking/browsers/tor-browser-bundle/default.nix
index 048017cae5b..ca20125332a 100644
--- a/pkgs/applications/networking/browsers/tor-browser-bundle/default.nix
+++ b/pkgs/applications/networking/browsers/tor-browser-bundle/default.nix
@@ -2,11 +2,20 @@
 , lib
 , fetchurl
 , fetchgit
+, symlinkJoin
 
 , tor
 , tor-browser-unwrapped
 
+# Wrapper runtime
+, coreutils
+, hicolor_icon_theme
+, shared_mime_info
+, noto-fonts
+, noto-fonts-emoji
+
 # Extensions, common
+, unzip
 , zip
 
 # HTTPS Everywhere
@@ -15,6 +24,9 @@
 , python27
 , python27Packages
 , rsync
+
+# Customization
+, extraPrefs ? ""
 }:
 
 let
@@ -24,11 +36,16 @@ let
     sha256 = "0j37mqldj33fnzghxifvy6v8vdwkcz0i4z81prww64md5s8qcsa9";
   };
 
+  # Each extension drv produces an output comprising an unpacked .xpi
+  # named after the extension uuid, as it would appear under
+  # `firefox/extensions'.
   firefoxExtensions = {
     https-everywhere = stdenv.mkDerivation rec {
       name = "https-everywhere-${version}";
       version = "5.2.21";
 
+      extid = "https-everywhere-eff@eff.org";
+
       src = fetchgit {
         url = "https://git.torproject.org/https-everywhere.git";
         rev = "refs/tags/${version}";
@@ -41,16 +58,24 @@ let
         python27
         python27Packages.lxml
         rsync
+        unzip
         zip
       ];
 
-      buildCommand = ''
+      unpackPhase = ''
         cp -dR --no-preserve=mode "$src" src
         cd src
+      '';
 
-        sed -i makexpi.sh -e '104d' # cp -a translations/* fails because the dir is empty ...
+      # Beware: the build expects translations/ to be non-empty (which it
+      # will be with submodules initialized).
+      buildPhase = ''
         $shell ./makexpi.sh ${version} --no-recurse
-        install -m 444 -Dt $out pkg"/"*.xpi
+      '';
+
+      installPhase = ''
+        mkdir $out
+        unzip -d "$out/$extid" "pkg/https-everywhere-$version-eff.xpi"
       '';
 
       meta = {
@@ -58,53 +83,105 @@ let
       };
     };
 
-    noscript = fetchurl {
-      url = https://secure.informaction.com/download/releases/noscript-5.0.10.xpi;
-      sha256 = "18k5karbaj5mhd9cyjbqgik6044bw88rjalkh6anjanxbn503j6g";
+    noscript = stdenv.mkDerivation rec {
+      name = "noscript-${version}";
+      version = "5.0.10";
+
+      extid = "{73a6fe31-595d-460b-a920-fcc0f8843232}";
+
+      src = fetchurl {
+        url = "https://secure.informaction.com/download/releases/noscript-${version}.xpi";
+        sha256 = "18k5karbaj5mhd9cyjbqgik6044bw88rjalkh6anjanxbn503j6g";
+      };
+
+      nativeBuildInputs = [ unzip ];
+
+      unpackPhase = ":";
+
+      installPhase = ''
+        mkdir $out
+        unzip -d "$out/$extid" "$src"
+      '';
     };
 
     torbutton = stdenv.mkDerivation rec {
       name = "torbutton-${version}";
       version = "1.9.8.1";
 
+      extid = "torbutton@torproject.org";
+
       src = fetchgit {
         url = "https://git.torproject.org/torbutton.git";
         rev = "refs/tags/${version}";
         sha256 = "1amp0c9ky0a7fsa0bcbi6n6ginw7s2g3an4rj7kvc1lxmrcsm65l";
       };
 
-      nativeBuildInputs = [ zip ];
+      nativeBuildInputs = [ unzip zip ];
 
-      buildCommand = ''
+      unpackPhase = ''
         cp -dR --no-preserve=mode "$src" src
         cd src
-
-        $shell ./makexpi.sh
-        install -m 444 -Dt $out pkg"/"*.xpi
       '';
+
+      buildPhase = ''
+        $shell ./makexpi.sh
+      '';
+
+      installPhase = ''
+        mkdir $out
+        unzip -d "$out/$extid" "pkg/torbutton-$version.xpi"
+      '';
+
+      meta = {
+        homepage = https://gitweb.torproject.org/torbutton.git/;
+      };
     };
 
     tor-launcher = stdenv.mkDerivation rec {
       name = "tor-launcher-${version}";
       version = "0.2.12.3";
 
+      extid = "tor-launcher@torproject.org";
+
       src = fetchgit {
         url = "https://git.torproject.org/tor-launcher.git";
         rev = "refs/tags/${version}";
         sha256 = "0126x48pjiy2zm4l8jzhk70w24hviaz560ffp4lb9x0ar615bc9q";
       };
 
-      nativeBuildInputs = [ zip ];
+      nativeBuildInputs = [ unzip zip ];
 
-      buildCommand = ''
+      unpackPhase = ''
         cp -dR --no-preserve=mode "$src" src
         cd src
-
-        make package
-        install -m 444 -Dt $out pkg"/"*.xpi
       '';
+
+      buildPhase = ''
+        make package
+      '';
+
+      installPhase = ''
+        mkdir $out
+        unzip -d "$out/$extid" "pkg/tor-launcher-$version.xpi"
+      '';
+
+      meta = {
+        homepage = https://gitweb.torproject.org/tor-launcher.git/;
+      };
     };
   };
+
+  extensionsEnv = symlinkJoin {
+    name = "tor-browser-extensions";
+    paths = with firefoxExtensions; [ https-everywhere noscript torbutton tor-launcher ];
+  };
+
+  fontsEnv = symlinkJoin {
+    name = "tor-browser-fonts";
+    paths = [ noto-fonts noto-fonts-emoji ];
+  };
+
+  fontsDir = "${fontsEnv}/share/fonts";
 in
 stdenv.mkDerivation rec {
   name = "tor-browser-bundle-${version}";
@@ -118,10 +195,13 @@ stdenv.mkDerivation rec {
 
   installPhase = ''
     TBBUILD=${tor-browser-build_src}/projects/tor-browser
+    TBDATA_PATH=TorBrowser-Data
 
     self=$out/lib/tor-browser
     mkdir -p $self && cd $self
 
+    TBDATA_IN_STORE=$self/$TBDATA_PATH
+
     cp -dR ${tor-browser-unwrapped}/lib"/"*"/"* .
     chmod -R +w .
 
@@ -144,58 +224,148 @@ stdenv.mkDerivation rec {
 
     // Where to find the Nixpkgs tor executable & config
     lockPref("extensions.torlauncher.tor_path", "${tor}/bin/tor");
-    lockPref("extensions.torlauncher.torrc-defaults_path", "$self/torrc-defaults");
+    lockPref("extensions.torlauncher.torrc-defaults_path", "$TBDATA_IN_STORE/torrc-defaults");
 
     // Captures store paths
     clearPref("extensions.xpiState");
+    clearPref("extensions.bootstrappedAddons");
 
     // Insist on using IPC for communicating with Tor
-    //
-    // Defaults to $XDG_RUNTIME_DIR/Tor/{socks,control}.socket
     lockPref("extensions.torlauncher.control_port_use_ipc", true);
     lockPref("extensions.torlauncher.socks_port_use_ipc", true);
+
+    // User customization
+    ${extraPrefs}
     EOF
 
     # Preload extensions
-    install -m 444 -D \
-      ${firefoxExtensions.tor-launcher}/tor-launcher-*.xpi \
-      browser/extensions/tor-launcher@torproject.org.xpi
-    install -m 444 -D \
-      ${firefoxExtensions.torbutton}/torbutton-*.xpi \
-      browser/extensions/torbutton@torproject.org.xpi
-    install -m 444 -D \
-      ${firefoxExtensions.https-everywhere}/https-everywhere-*-eff.xpi \
-      browser/extensions/https-everywhere-eff@eff.org.xpi
-    install -m 444 -D \
-      ${firefoxExtensions.noscript} \
-      browser/extensions/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
+    # XXX: the fact that ln -s env browser/extensions fails, symlinkJoin seems a little redundant ...
+    ln -s -t browser/extensions ${extensionsEnv}"/"*
 
     # Copy bundle data
-    cat \
-      $TBBUILD/Bundle-Data/linux/Data/Tor/torrc-defaults \
-      $TBBUILD/Bundle-Data/PTConfigs/linux/torrc-defaults-appendix \
-      >> torrc-defaults
+    bundlePlatform=linux
+    bundleData=$TBBUILD/Bundle-Data
 
+    mkdir -p $TBDATA_PATH
     cat \
-      $TBBUILD/Bundle-Data/linux/Data/Browser/profile.default/preferences/extension-overrides.js \
-      $TBBUILD/Bundle-Data/PTConfigs/bridge_prefs.js >> defaults/pref/extension-overrides.js \
+      $bundleData/$bundlePlatform/Data/Tor/torrc-defaults \
+      >> $TBDATA_PATH/torrc-defaults
+    cat \
+      $bundleData/$bundlePlatform/Data/Browser/profile.default/preferences/extension-overrides.js \
       >> defaults/pref/extension-overrides.js
 
+    # Hard-code path to TBB fonts; xref: FONTCONFIG_FILE in the wrapper below
+    sed $bundleData/$bundlePlatform/Data/fontconfig/fonts.conf \
+        -e "s,<dir>fonts</dir>,<dir>${fontsDir}</dir>," \
+        > $TBDATA_PATH/fonts.conf
+
     # Generate a suitable wrapper
+    wrapper_PATH=${lib.makeBinPath [ coreutils ]}
+    wrapper_XDG_DATA_DIRS=${lib.concatMapStringsSep ":" (x: "${x}/share") [
+      hicolor_icon_theme
+      shared_mime_info
+    ]}
+
     mkdir -p $out/bin
     cat >$out/bin/tor-browser <<EOF
-    #! ${stdenv.shell} -e
+    #! ${stdenv.shell} -eu
 
-    THE_HOME=\$HOME
+    PATH=$wrapper_PATH
+
+    readonly THE_HOME=\$HOME
     TBB_HOME=\''${TBB_HOME:-\''${XDG_DATA_HOME:-$HOME/.local/share}/tor-browser}
+    if [[ \''${TBB_HOME:0:1} != / ]] ; then
+      TBB_HOME=\$PWD/\$TBB_HOME
+    fi
+    readonly TBB_HOME
+
+    # Basic sanity check: never want to vomit directly onto user's homedir
+    if [[ "\$TBB_HOME" = "\$THE_HOME" ]] ; then
+      echo 'TBB_HOME=\$HOME; refusing to run' >&2
+      exit 1
+    fi
+
     mkdir -p "\$TBB_HOME"
 
     HOME=\$TBB_HOME
     cd "\$HOME"
 
-    exec $self/firefox -no-remote about:tor
+    # Re-init XDG basedir envvars
+    XDG_CACHE_HOME=\$HOME/.cache
+    XDG_CONFIG_HOME=\$HOME/.config
+    XDG_DATA_HOME=\$HOME/.local/share
+
+    # Initialize empty TBB runtime state directory hierarchy.  Mirror the
+    # layout used by the official TBB, to avoid the hassle of working
+    # against the assumptions made by tor-launcher & co.
+    mkdir -p "\$HOME/TorBrowser" "\$HOME/TorBrowser/Data"
+
+    # Initialize the Tor data directory.
+    mkdir -p "\$HOME/TorBrowser/Data/Tor"
+
+    # TBB fails if ownership is too permissive
+    chmod 0700 "\$HOME/TorBrowser/Data/Tor"
+
+    # Initialize the browser profile state.  Expect TBB to generate all data.
+    mkdir -p "\$HOME/TorBrowser/Data/Browser/profile.default"
+
+    # Files that capture store paths; re-generated by firefox at startup
+    rm -rf "\$HOME/TorBrowser/Data/Browser/profile.default"/{compatibility.ini,extensions.ini,extensions.json,startupCache}
+
+    # Clear out fontconfig caches
+    rm -f "\$HOME/.cache/fontconfig/"*.cache-*
+
+    # Lift-off!
+    #
+    # TZ is set to avoid stat()ing /etc/localtime over and over ...
+    #
+    # DBUS_SESSION_BUS_ADDRESS is inherited to avoid auto-launching a new
+    # dbus instance; to prevent using the session bus, set the envvar to
+    # an empty/invalid value prior to running tor-browser.
+    #
+    # FONTCONFIG_FILE is required to make fontconfig read the TBB
+    # fonts.conf; upstream uses FONTCONFIG_PATH, but FC_DEBUG=1024
+    # indicates the system fonts.conf being used instead.
+    #
+    # HOME, TMPDIR, XDG_*_HOME are set as a form of soft confinement;
+    # ideally, tor-browser should not write to any path outside TBB_HOME
+    # and should run even under strict confinement to TBB_HOME.
+    #
+    # XDG_DATA_DIRS is set to prevent searching system directories for
+    # mime and icon data.
+    #
+    # Parameters lacking a default value below are *required* (enforced by
+    # -o nounset).
+    exec env -i \
+      TZ=":" \
+      \
+      DISPLAY="\$DISPLAY" \
+      XAUTHORITY="\$XAUTHORITY" \
+      DBUS_SESSION_BUS_ADDRESS="\$DBUS_SESSION_BUS_ADDRESS" \
+      \
+      HOME="\$HOME" \
+      TMPDIR="\$XDG_CACHE_HOME/tmp" \
+      XDG_CONFIG_HOME="\$XDG_CONFIG_HOME" \
+      XDG_DATA_HOME="\$XDG_DATA_HOME" \
+      XDG_CACHE_HOME="\$XDG_CACHE_HOME" \
+      \
+      XDG_DATA_DIRS="$wrapper_XDG_DATA_DIRS" \
+      \
+      FONTCONFIG_FILE="$TBDATA_IN_STORE/fonts.conf" \
+      \
+      $self/firefox \
+        -no-remote \
+        -profile "\$HOME/TorBrowser/Data/Browser/profile.default" \
+        "\$@"
     EOF
     chmod +x $out/bin/tor-browser
+
+    echo "Syntax checking wrapper ..."
+    bash -n $out/bin/tor-browser
+
+    echo "Checking wrapper ..."
+    DISPLAY="" XAUTHORITY="" DBUS_SESSION_BUS_ADDRESS="" TBB_HOME=$TMPDIR/tbb \
+    $out/bin/tor-browser -version >/dev/null
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/applications/science/math/caffe/default.nix b/pkgs/applications/science/math/caffe/default.nix
index 5c6fe9c573d..cb28d38bf1d 100644
--- a/pkgs/applications/science/math/caffe/default.nix
+++ b/pkgs/applications/science/math/caffe/default.nix
@@ -46,9 +46,8 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = lib.optional pythonSupport python.pkgs.protobuf;
 
-  outputs = [ "out" "bin" ];
-  # Don't propagate bin.
-  outputBin = "out";
+  outputs = [ "bin" "out"];
+  propagatedBuildOutputs = []; # otherwise propagates out -> bin cycle
 
   postInstall = ''
     # Internal static library.
diff --git a/pkgs/applications/video/shotcut/default.nix b/pkgs/applications/video/shotcut/default.nix
index 72dbf87fdef..88cb43b4d91 100644
--- a/pkgs/applications/video/shotcut/default.nix
+++ b/pkgs/applications/video/shotcut/default.nix
@@ -1,26 +1,29 @@
-{ stdenv, fetchurl, SDL, frei0r, gettext, mlt, jack1, pkgconfig, qtbase,
-qtmultimedia, qtwebkit, qtx11extras, qtwebsockets, qtquickcontrols,
-qtgraphicaleffects,
-qmake, makeWrapper }:
+{ stdenv, fetchFromGitHub, SDL2, frei0r, gettext, mlt, jack1, pkgconfig, qtbase
+, qtmultimedia, qtwebkit, qtx11extras, qtwebsockets, qtquickcontrols
+, qtgraphicaleffects, libmlt
+, qmake, makeWrapper }:
 
 stdenv.mkDerivation rec {
   name = "shotcut-${version}";
-  version = "17.02";
+  version = "17.09";
 
-  src = fetchurl {
-    url = "https://github.com/mltframework/shotcut/archive/v${version}.tar.gz";
-    sha256 = "09nygz1x9fvqf33gqpc6jnr1j7ny0yny3w2ngwqqfkf3f8n83qhr";
+  src = fetchFromGitHub {
+    owner = "mltframework";
+    repo = "shotcut";
+    rev = "v${version}";
+    sha256 = "061jmk1g2h7p82kyk2zgk19g0y3dgx3lppfnm6cdmi550b51qllb";
   };
 
-
   enableParallelBuilding = true;
   nativeBuildInputs = [ makeWrapper pkgconfig qmake ];
   buildInputs = [
-    SDL frei0r gettext mlt
+    SDL2 frei0r gettext mlt libmlt
     qtbase qtmultimedia qtwebkit qtx11extras qtwebsockets qtquickcontrols
     qtgraphicaleffects
   ];
 
+  NIX_CFLAGS_COMPILE = "-I${libmlt}/include/mlt++ -I${libmlt}/include/mlt";
+
   prePatch = ''
     sed 's_shotcutPath, "qmelt"_"${mlt}/bin/melt"_' -i src/jobs/meltjob.cpp
     sed 's_shotcutPath, "ffmpeg"_"${mlt.ffmpeg}/bin/ffmpeg"_' -i src/jobs/ffmpegjob.cpp
@@ -31,7 +34,7 @@ stdenv.mkDerivation rec {
   postInstall = ''
     mkdir -p $out/share/shotcut
     cp -r src/qml $out/share/shotcut/
-    wrapProgram $out/bin/shotcut --prefix FREI0R_PATH : ${frei0r}/lib/frei0r-1 --prefix LD_LIBRARY_PATH : ${stdenv.lib.makeLibraryPath [ jack1 SDL ]} --prefix PATH : ${mlt}/bin
+    wrapProgram $out/bin/shotcut --prefix FREI0R_PATH : ${frei0r}/lib/frei0r-1 --prefix LD_LIBRARY_PATH : ${stdenv.lib.makeLibraryPath [ jack1 SDL2 ]} --prefix PATH : ${mlt}/bin
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/applications/virtualization/docker/default.nix b/pkgs/applications/virtualization/docker/default.nix
index 043f27e13d2..f28ec6275b8 100644
--- a/pkgs/applications/virtualization/docker/default.nix
+++ b/pkgs/applications/virtualization/docker/default.nix
@@ -44,6 +44,13 @@ rec {
         rev = containerdRev;
         sha256 = containerdSha256;
       };
+
+      # This should go into the containerd derivation once 1.0.0 is out
+      preBuild = ''
+        mkdir $(pwd)/vendor/src
+        mv $(pwd)/vendor/{github.com,golang.org,google.golang.org} $(pwd)/vendor/src/
+        ln -s $(pwd) vendor/src/github.com/containerd/containerd
+      '';
     });
     docker-tini = tini.overrideAttrs  (oldAttrs: rec {
       name = "docker-init";
@@ -188,14 +195,14 @@ rec {
     tiniSha256 = "0zj4kdis1vvc6dwn4gplqna0bs7v6d1y2zc8v80s3zi018inhznw";
   };
 
-  docker_17_07 = dockerGen rec {
-    version = "17.07.0-ce";
-    rev = "87847530f7176a48348d196f7c23bbd058052af1"; # git commit
-    sha256 = "0zw9zlzbd7il33ch17ypwpa73gsb930sf2njnphg7ylvnqp8qzsp";
-    runcRev = "2d41c047c83e09a6d61d464906feb2a2f3c52aa4";
-    runcSha256 = "0v5iv29ck6lkxvxh7a56gfrlgfs0bjvjhrq3p6qqv9qjzv825byq";
-    containerdRev = "3addd840653146c90a254301d6c3a663c7fd6429";
-    containerdSha256 = "0as4s5wd57pdh1cyavkccpgs46kvlhr41v07qrv0phzffdhq3d5j";
+  docker_17_09 = dockerGen rec {
+    version = "17.09.0-ce";
+    rev = "afdb6d44a80f777069885a9ee0e0f86cf841b1bb"; # git commit
+    sha256 = "03g0imdcxqx9y4hhyymxqzvm8bqg4cqrmb7sjbxfdgrhzh9kcn1p";
+    runcRev = "3f2f8b84a77f73d38244dd690525642a72156c64";
+    runcSha256 = "0vaagmav8443kmyxac2y1y5l2ipcs1c7gdmsnvj48y9bafqx72rq";
+    containerdRev = "06b9cb35161009dcb7123345749fef02f7cea8e0";
+    containerdSha256 = "10hms8a2nn69nfnwly6923jzx40c3slpsdhjhff4bxh36flpf9gd";
     tiniRev = "949e6facb77383876aeff8a6944dde66b3089574";
     tiniSha256 = "0zj4kdis1vvc6dwn4gplqna0bs7v6d1y2zc8v80s3zi018inhznw";
   };
diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix
index 274325b6785..2c94f7f6fec 100644
--- a/pkgs/applications/window-managers/sway/default.nix
+++ b/pkgs/applications/window-managers/sway/default.nix
@@ -6,20 +6,8 @@
 }:
 
 let
+  # TODO: Sway 0.14.0 with wlc 0.0.10 segfaults
   version = "0.13.0";
-  # Temporary workaround (0.14.0 segfaults)
-  wlc_009 = stdenv.lib.overrideDerivation wlc (oldAttrs: rec {
-    name = "wlc-${version}";
-    version = "0.0.9";
-
-    src = fetchFromGitHub {
-      owner = "Cloudef";
-      repo = "wlc";
-      rev = "v${version}";
-      fetchSubmodules = true;
-      sha256 = "1r6jf64gs7n9a8129wsc0mdwhcv44p8k87kg0714rhx3g2w22asg";
-    };
-  });
 in stdenv.mkDerivation rec {
   name = "sway-${version}";
 
@@ -35,7 +23,7 @@ in stdenv.mkDerivation rec {
     asciidoc libxslt docbook_xsl
   ];
   buildInputs = [
-    wayland wlc_009 libxkbcommon pixman fontconfig pcre json_c dbus_libs
+    wayland wlc libxkbcommon pixman fontconfig pcre json_c dbus_libs
     pango cairo libinput libcap xwayland pam gdk_pixbuf libpthreadstubs
     libXdmcp
   ];
@@ -48,7 +36,7 @@ in stdenv.mkDerivation rec {
   cmakeFlags = "-DVERSION=${version}";
   installPhase = "PREFIX=$out make install";
 
-  LD_LIBRARY_PATH = stdenv.lib.makeLibraryPath [ wlc_009 dbus_libs ];
+  LD_LIBRARY_PATH = stdenv.lib.makeLibraryPath [ wlc dbus_libs ];
   preFixup = ''
     wrapProgram $out/bin/sway \
       --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}";
diff --git a/pkgs/desktops/gnome-3/core/gcr/default.nix b/pkgs/desktops/gnome-3/core/gcr/default.nix
index 55eebf77be5..0798d69f9e6 100644
--- a/pkgs/desktops/gnome-3/core/gcr/default.nix
+++ b/pkgs/desktops/gnome-3/core/gcr/default.nix
@@ -5,6 +5,8 @@
 stdenv.mkDerivation rec {
   inherit (import ./src.nix fetchurl) name src;
 
+  outputs = [ "out" "dev" ];
+
   buildInputs = [
     pkgconfig intltool gnupg glib gobjectIntrospection libxslt
     libgcrypt libtasn1 dbus_glib gtk pango gdk_pixbuf atk makeWrapper vala_0_32
diff --git a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
index df47c1a477b..4baafecadd0 100644
--- a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
+++ b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
@@ -5,6 +5,8 @@
 stdenv.mkDerivation rec {
   inherit (import ./src.nix fetchurl) name src;
 
+  outputs = [ "out" "dev" ];
+
   buildInputs = with gnome3; [
     dbus libgcrypt pam python gtk3 gconf libgnome_keyring
     pango gcr gdk_pixbuf atk p11_kit
diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix
index fb5431ff8d5..606058da854 100644
--- a/pkgs/development/libraries/cwiid/default.nix
+++ b/pkgs/development/libraries/cwiid/default.nix
@@ -1,12 +1,14 @@
-{ stdenv, autoreconfHook, fetchgit, bison, flex, bluez, pkgconfig, gtk2 }:
+{ stdenv, fetchFromGitHub, autoreconfHook, bison, flex, bluez, pkgconfig, gtk2 }:
 
 stdenv.mkDerivation rec {
-  name = "cwiid-2010-02-21-git";
+  name = "cwiid-${version}-git";
+  version = "2010-02-21";
 
-  src = fetchgit {
-      url = https://github.com/abstrakraft/cwiid;
-      sha256 = "0qdb0x757k76nfj32xc2nrrdqd9jlwgg63vfn02l2iznnzahxp0h";
-      rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82";
+  src = fetchFromGitHub {
+    owner  = "abstrakraft";
+    repo   = "cwiid";
+    rev    = "fadf11e89b579bcc0336a0692ac15c93785f3f82";
+    sha256 = "0qdb0x757k76nfj32xc2nrrdqd9jlwgg63vfn02l2iznnzahxp0h";
   };
 
   hardeningDisable = [ "format" ];
@@ -17,18 +19,20 @@ stdenv.mkDerivation rec {
     sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in
   '';
 
-  buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk2 ];
+  buildInputs = [ bison flex bluez gtk2 ];
+
+  nativeBuildInputs = [ autoreconfHook pkgconfig ];
 
   postInstall = ''
     # Some programs (for example, cabal-install) have problems with the double 0
     sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc
   '';
 
-  meta = {
+  meta = with stdenv.lib; {
     description = "Linux Nintendo Wiimote interface";
-    homepage = http://cwiid.org;
-    license = stdenv.lib.licenses.gpl2Plus;
-    maintainers = [ stdenv.lib.maintainers.bennofs ];
-    platforms = stdenv.lib.platforms.linux;
+    homepage    = http://cwiid.org;
+    license     = licenses.gpl2Plus;
+    maintainers = with maintainers; [ bennofs ];
+    platforms   = platforms.linux;
   };
 }
diff --git a/pkgs/development/libraries/imlib2/default.nix b/pkgs/development/libraries/imlib2/default.nix
index 8c66dcec161..8d26cabc9b5 100644
--- a/pkgs/development/libraries/imlib2/default.nix
+++ b/pkgs/development/libraries/imlib2/default.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
   configureFlags = optional stdenv.isDarwin "--enable-amd64=no"
     ++ optional (!x11Support) "--without-x";
 
-  outputs = [ "out" "bin" "dev" ];
+  outputs = [ "bin" "out" "dev" ];
 
   postInstall = ''
     moveToOutput bin/imlib2-config "$dev"
diff --git a/pkgs/development/libraries/libnfs/default.nix b/pkgs/development/libraries/libnfs/default.nix
new file mode 100644
index 00000000000..d9149a1fbac
--- /dev/null
+++ b/pkgs/development/libraries/libnfs/default.nix
@@ -0,0 +1,25 @@
+{ stdenv, fetchFromGitHub, autoreconfHook }:
+
+stdenv.mkDerivation rec {
+  name = "libnfs-${version}";
+  version = "2.0.0";
+
+  src = fetchFromGitHub {
+    owner = "sahlberg";
+    repo = "libnfs";
+    rev = "libnfs-${version}";
+    sha256 = "1xd1xb09jxwmx7hblv0f9gxv7i1glk3nbj2vyq50zpi158lnf2mb";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  enableParallelBuilding = true;
+
+  meta = with stdenv.lib; {
+    description = "NFS client library";
+    homepage    = https://github.com/sahlberg/libnfs;
+    license     = with licenses; [ lgpl2 bsd2 gpl3 ];
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms   = platforms.unix;
+  };
+}
diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix
index 936c88034aa..c67070094de 100644
--- a/pkgs/development/libraries/wlc/default.nix
+++ b/pkgs/development/libraries/wlc/default.nix
@@ -2,18 +2,19 @@
 , wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa
 , libdrm, udev, libX11, libXdamage, systemd, dbus_libs, wayland-protocols
 , libpthreadstubs, libXau, libXdmcp, libXext, libXxf86vm
+, withOptionalPackages ? true, zlib, valgrind, doxygen
 }:
 
 stdenv.mkDerivation rec {
   name = "wlc-${version}";
-  version = "0.0.10";
+  version = "0.0.9"; # 0.0.10 currently causes segfaults
 
   src = fetchFromGitHub {
     owner = "Cloudef";
     repo = "wlc";
     rev = "v${version}";
     fetchSubmodules = true;
-    sha256 = "09kvwhrpgkxlagn9lgqxc80jbg56djn29a6z0n6h0dsm90ysyb2k";
+    sha256 = "1r6jf64gs7n9a8129wsc0mdwhcv44p8k87kg0714rhx3g2w22asg";
   };
 
   nativeBuildInputs = [ cmake pkgconfig ];
@@ -21,8 +22,8 @@ stdenv.mkDerivation rec {
   buildInputs = [
     wayland pixman libxkbcommon libinput libxcb xcbutilwm xcbutilimage mesa
     libdrm udev libX11 libXdamage systemd dbus_libs wayland-protocols
-    libpthreadstubs libXau libXdmcp libXext libXxf86vm
-  ];
+    libpthreadstubs libXau libXdmcp libXext libXxf86vm ]
+    ++ stdenv.lib.optionals withOptionalPackages [ zlib valgrind doxygen ];
 
   doCheck = true;
   checkTarget = "test";
diff --git a/pkgs/development/lisp-modules/quicklisp-to-nix-output/cl-protobufs.nix b/pkgs/development/lisp-modules/quicklisp-to-nix-output/cl-protobufs.nix
new file mode 100644
index 00000000000..7ec440076c3
--- /dev/null
+++ b/pkgs/development/lisp-modules/quicklisp-to-nix-output/cl-protobufs.nix
@@ -0,0 +1,30 @@
+args @ { fetchurl, ... }:
+rec {
+  baseName = ''cl-protobufs'';
+  version = ''20170403-git'';
+
+  description = ''Protobufs for Common Lisp'';
+
+  deps = [ args."alexandria" args."babel" args."closer-mop" args."trivial-features" args."trivial-garbage" ];
+
+  src = fetchurl {
+    url = ''http://beta.quicklisp.org/archive/cl-protobufs/2017-04-03/cl-protobufs-20170403-git.tgz'';
+    sha256 = ''0ibpl076k8gq79sacg96mzjf5hqkrxzi5wlx3bjap52pla53w4g5'';
+  };
+
+  packageName = "cl-protobufs";
+
+  asdFilesToKeep = ["cl-protobufs.asd"];
+  overrides = x: x;
+}
+/* (SYSTEM cl-protobufs DESCRIPTION Protobufs for Common Lisp SHA256
+    0ibpl076k8gq79sacg96mzjf5hqkrxzi5wlx3bjap52pla53w4g5 URL
+    http://beta.quicklisp.org/archive/cl-protobufs/2017-04-03/cl-protobufs-20170403-git.tgz
+    MD5 86c8da92b246b4b77d6107bc5dfaff08 NAME cl-protobufs FILENAME
+    cl-protobufs DEPS
+    ((NAME alexandria FILENAME alexandria) (NAME babel FILENAME babel)
+     (NAME closer-mop FILENAME closer-mop)
+     (NAME trivial-features FILENAME trivial-features)
+     (NAME trivial-garbage FILENAME trivial-garbage))
+    DEPENDENCIES (alexandria babel closer-mop trivial-features trivial-garbage)
+    VERSION 20170403-git SIBLINGS (cl-protobufs-tests) PARASITES NIL) */
diff --git a/pkgs/development/lisp-modules/quicklisp-to-nix-systems.txt b/pkgs/development/lisp-modules/quicklisp-to-nix-systems.txt
index 32ef6367e27..49aa941094b 100644
--- a/pkgs/development/lisp-modules/quicklisp-to-nix-systems.txt
+++ b/pkgs/development/lisp-modules/quicklisp-to-nix-systems.txt
@@ -33,6 +33,7 @@ closer-mop
 cl-ppcre
 cl-ppcre-template
 cl-ppcre-unicode
+cl-protobufs
 cl-reexport
 cl-smtp
 clsql
diff --git a/pkgs/development/lisp-modules/quicklisp-to-nix.nix b/pkgs/development/lisp-modules/quicklisp-to-nix.nix
index 22b58895747..86817e14f55 100644
--- a/pkgs/development/lisp-modules/quicklisp-to-nix.nix
+++ b/pkgs/development/lisp-modules/quicklisp-to-nix.nix
@@ -2012,6 +2012,19 @@ let quicklisp-to-nix-packages = rec {
        }));
 
 
+  "cl-protobufs" = buildLispPackage
+    ((f: x: (x // (f x)))
+       (qlOverrides."cl-protobufs" or (x: {}))
+       (import ./quicklisp-to-nix-output/cl-protobufs.nix {
+         inherit fetchurl;
+           "alexandria" = quicklisp-to-nix-packages."alexandria";
+           "babel" = quicklisp-to-nix-packages."babel";
+           "closer-mop" = quicklisp-to-nix-packages."closer-mop";
+           "trivial-features" = quicklisp-to-nix-packages."trivial-features";
+           "trivial-garbage" = quicklisp-to-nix-packages."trivial-garbage";
+       }));
+
+
   "cl-ppcre-unicode" = buildLispPackage
     ((f: x: (x // (f x)))
        (qlOverrides."cl-ppcre-unicode" or (x: {}))
diff --git a/pkgs/development/node-packages/node-packages-v6.nix b/pkgs/development/node-packages/node-packages-v6.nix
index ba2a6c77ce2..bd4a3e5abcc 100644
--- a/pkgs/development/node-packages/node-packages-v6.nix
+++ b/pkgs/development/node-packages/node-packages-v6.nix
@@ -23701,10 +23701,10 @@ in
   bower2nix = nodeEnv.buildNodePackage {
     name = "bower2nix";
     packageName = "bower2nix";
-    version = "3.1.1";
+    version = "3.2.0";
     src = fetchurl {
-      url = "https://registry.npmjs.org/bower2nix/-/bower2nix-3.1.1.tgz";
-      sha1 = "77cc8f966a3595686f5d6fae30ad9bd2cc20bfe3";
+      url = "https://registry.npmjs.org/bower2nix/-/bower2nix-3.2.0.tgz";
+      sha1 = "nlzr17lidjf72s60vcsnqpjxgnnsn32s";
     };
     dependencies = [
       sources."argparse-1.0.4"
@@ -37338,4 +37338,4 @@ in
     };
     production = true;
   };
-}
\ No newline at end of file
+}
diff --git a/pkgs/development/python-modules/cffi/default.nix b/pkgs/development/python-modules/cffi/default.nix
index 5b0265601a3..cced78c0c6a 100644
--- a/pkgs/development/python-modules/cffi/default.nix
+++ b/pkgs/development/python-modules/cffi/default.nix
@@ -10,6 +10,8 @@ if isPyPy then null else buildPythonPackage rec {
     sha256 = "1mffyilq4qycm8gs4wkgb18rnqil8a9blqq77chdlshzxc8jkc5k";
   };
 
+  outputs = [ "out" "dev" ];
+
   propagatedBuildInputs = [ libffi pycparser ];
   buildInputs = [ pytest ];
 
diff --git a/pkgs/development/python-modules/phonenumbers/default.nix b/pkgs/development/python-modules/phonenumbers/default.nix
index 53ec2c292fc..5f54fb12ec2 100644
--- a/pkgs/development/python-modules/phonenumbers/default.nix
+++ b/pkgs/development/python-modules/phonenumbers/default.nix
@@ -2,12 +2,12 @@
 
 buildPythonPackage rec {
   pname = "phonenumbers";
-  version = "8.8.1";
+  version = "8.8.2";
   name = "${pname}-${version}";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "09f4b307v6wn5zs6spvp5icwad3dz9baf7d14hyvpnxn7cdqj2xy";
+    sha256 = "0xwis5hvp2wmnzqxax8896vhyb3q2fs9l9ilvyr44jdh3342dxpx";
   };
 
   meta = {
diff --git a/pkgs/development/python-modules/requests/default.nix b/pkgs/development/python-modules/requests/default.nix
index b85bb54a4f1..f3ff4a84f1e 100644
--- a/pkgs/development/python-modules/requests/default.nix
+++ b/pkgs/development/python-modules/requests/default.nix
@@ -12,6 +12,8 @@ buildPythonPackage rec {
     sha256 = "0zi3v9nsmv9j27d0c0m1dvqyvaxz53g8m0aa1h3qanxs4irkwi4w";
   };
 
+  outputs = [ "out" "dev" ];
+
   nativeBuildInputs = [ pytest ];
   propagatedBuildInputs = [ urllib3 idna chardet certifi ];
   # sadly, tests require networking
diff --git a/pkgs/development/ruby-modules/gem-config/default.nix b/pkgs/development/ruby-modules/gem-config/default.nix
index 6647d71bd00..a0d4b9adcbe 100644
--- a/pkgs/development/ruby-modules/gem-config/default.nix
+++ b/pkgs/development/ruby-modules/gem-config/default.nix
@@ -183,7 +183,7 @@ in
 
   pg = attrs: {
     buildFlags = [
-      "--with-pg-config=${postgresql}/bin/pg_config"
+      "--with-pg-config=${postgresql.dev}/bin/pg_config"
     ];
   };
 
diff --git a/pkgs/os-specific/linux/kernel/linux-4.12.nix b/pkgs/os-specific/linux/kernel/linux-4.12.nix
deleted file mode 100644
index bff0f5db953..00000000000
--- a/pkgs/os-specific/linux/kernel/linux-4.12.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ stdenv, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
-
-import ./generic.nix (args // rec {
-  version = "4.12.14";
-  extraMeta.branch = "4.12";
-
-  src = fetchurl {
-    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "09zxmknh6awhqmj8dyq95bdlwcasryy35hkjxjlzixdgn52kzaw6";
-  };
-} // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.13.nix b/pkgs/os-specific/linux/kernel/linux-4.13.nix
index d1c4d8ba8e7..c45afd1cbeb 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.13.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.13.nix
@@ -1,11 +1,11 @@
 { stdenv, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.13.3";
+  version = "4.13.4";
   extraMeta.branch = "4.13";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1ayai3i0jakxzszpijhknjiwwi055wa74bpmnr0n7dh2l5s2rlh3";
+    sha256 = "087lv2laf4wx28z9zqg9s275nzygica0hc1g8vn5ql6yb7mrb7m0";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix
index 5033bb88f79..6531323c1d5 100644
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@@ -1,11 +1,11 @@
 { stdenv, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.9.51";
+  version = "4.9.52";
   extraMeta.branch = "4.9";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "12mag09scyzi5a352y39y4b6rjh89qqca53hhmjc396q09hsdyl3";
+    sha256 = "12h4w6x0zcl8kpia2y7myv7w7i0dihw4g8v638fs8bzk3d7h7pgz";
   };
 } // (args.argsOverride or {}))
diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix
index 31af8a49de1..cd0c283edbb 100644
--- a/pkgs/os-specific/linux/spl/default.nix
+++ b/pkgs/os-specific/linux/spl/default.nix
@@ -70,6 +70,6 @@ in
     splUnstable = common {
       version = "2017-09-26";
       rev = "e8474f9ad3b3d23c3277535c4f53f8fd1e6cbd74";
-      sha256 = "1hydfhmngpq31gxkxipqxnin74l760d1ia202h12vsgix9sp32h7";
+      sha256 = "0251cnffgx98nckgz6imwa8dnvba44wc02aacmr1n430gmq72xra";
     };
 }
diff --git a/pkgs/servers/emby/default.nix b/pkgs/servers/emby/default.nix
index 5b749b92c03..678fb42acd5 100644
--- a/pkgs/servers/emby/default.nix
+++ b/pkgs/servers/emby/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "emby-${version}";
-  version = "3.2.30.0";
+  version = "3.2.32.0";
 
   src = fetchurl {
     url = "https://github.com/MediaBrowser/Emby/releases/download/${version}/Emby.Mono.zip";
-    sha256 = "1aqal7n4a9dvy97zw4aah9a8jm4l2v1qgjgs5kvskrvir2dbid27";
+    sha256 = "0bwcqwh9g8yrkh1schfr30jf5m2w3r2raczq5x94vjfs8i6dmqh0";
   };
 
   buildInputs = with pkgs; [
diff --git a/pkgs/servers/sql/mariadb/default.nix b/pkgs/servers/sql/mariadb/default.nix
index 3ede229931e..a2e5fbb6df9 100644
--- a/pkgs/servers/sql/mariadb/default.nix
+++ b/pkgs/servers/sql/mariadb/default.nix
@@ -15,11 +15,11 @@ mariadb = everything // {
 };
 
 common = rec { # attributes common to both builds
-  version = "10.1.25";
+  version = "10.1.26";
 
   src = fetchurl {
     url    = "https://downloads.mariadb.org/f/mariadb-${version}/source/mariadb-${version}.tar.gz/from/http%3A//ftp.hosteurope.de/mirror/archive.mariadb.org/?serve";
-    sha256 = "1mm0n8sl6grajk5rbrx55333laz5dg2abyl8mlsn7h8vdymfq1bj";
+    sha256 = "0ggpdcal0if9y6h9hp1yv2q65cbkjfl4p8rqk68a5pk7k75v325s";
     name   = "mariadb-${version}.tar.gz";
   };
 
diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix
index 022ac15aee7..980ed5056a1 100644
--- a/pkgs/servers/sql/postgresql/default.nix
+++ b/pkgs/servers/sql/postgresql/default.nix
@@ -46,7 +46,7 @@ let
       let path = if atLeast "9.6" then "src/common/config_info.c" else "src/bin/pg_config/pg_config.c"; in
         ''
           # Hardcode the path to pgxs so pg_config returns the path in $out
-          substituteInPlace "${path}" --replace HARDCODED_PGXS_PATH $out/lib
+          substituteInPlace "${path}" --replace HARDCODED_PGXS_PATH $dev/lib
         '';
 
     postInstall =
diff --git a/pkgs/tools/backup/bacula/default.nix b/pkgs/tools/backup/bacula/default.nix
index 374122814c5..7c368ce4d03 100644
--- a/pkgs/tools/backup/bacula/default.nix
+++ b/pkgs/tools/backup/bacula/default.nix
@@ -12,9 +12,9 @@ stdenv.mkDerivation rec {
     # acl relies on attr, which I can't get to build on darwin
     ++ stdenv.lib.optional (!stdenv.isDarwin) acl;
 
-  configureFlags = [ 
+  configureFlags = [
     "--with-sqlite3=${sqlite.dev}"
-    "--with-postgresql=${postgresql}"
+    "--with-postgresql=${postgresql.dev}"
   ];
 
   postInstall = ''
diff --git a/pkgs/tools/inputmethods/ibus-engines/ibus-anthy/default.nix b/pkgs/tools/inputmethods/ibus-engines/ibus-anthy/default.nix
index f93edffa7bd..53b2a3abf28 100644
--- a/pkgs/tools/inputmethods/ibus-engines/ibus-anthy/default.nix
+++ b/pkgs/tools/inputmethods/ibus-engines/ibus-anthy/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
   configureFlags = [ "--with-anthy-zipcode=${anthy}/share/anthy/zipcode.t" ];
 
   buildInputs = [
-    anthy glib gobjectIntrospection gtk3 ibus python3
+    anthy glib gobjectIntrospection gtk3 ibus (python3.withPackages (ps: [ps.pygobject3]))
   ];
 
   nativeBuildInputs = [ intltool pkgconfig python3.pkgs.wrapPython ];
diff --git a/pkgs/tools/inputmethods/ibus-engines/ibus-hangul/default.nix b/pkgs/tools/inputmethods/ibus-engines/ibus-hangul/default.nix
index 74253fa09fc..f70c7d02e9f 100644
--- a/pkgs/tools/inputmethods/ibus-engines/ibus-hangul/default.nix
+++ b/pkgs/tools/inputmethods/ibus-engines/ibus-hangul/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "120p9w7za6hi521hz8q235fkl4i3p1qqr8nqm4a3kxr0pcq40bd2";
   };
 
-  buildInputs = [ gtk3 ibus libhangul ];
+  buildInputs = [ gtk3 ibus libhangul python3 ];
 
   nativeBuildInputs = [ intltool pkgconfig python3.pkgs.wrapPython ];
 
diff --git a/pkgs/tools/inputmethods/ibus/default.nix b/pkgs/tools/inputmethods/ibus/default.nix
index 66d61b8c5e9..3b076bb8ff6 100644
--- a/pkgs/tools/inputmethods/ibus/default.nix
+++ b/pkgs/tools/inputmethods/ibus/default.nix
@@ -110,6 +110,10 @@ in stdenv.mkDerivation rec {
   doInstallCheck = true;
   installCheckPhase = "$out/bin/ibus version";
 
+  postInstall = ''
+    moveToOutput "bin/ibus-setup" "$dev"
+  '';
+
   meta = with stdenv.lib; {
     homepage = https://github.com/ibus/ibus;
     description = "Intelligent Input Bus for Linux / Unix OS";
diff --git a/pkgs/tools/inputmethods/ibus/wrapper.nix b/pkgs/tools/inputmethods/ibus/wrapper.nix
index 13035698827..d41ba1e791f 100644
--- a/pkgs/tools/inputmethods/ibus/wrapper.nix
+++ b/pkgs/tools/inputmethods/ibus/wrapper.nix
@@ -21,7 +21,7 @@ let
         done
     done
 
-    for prog in ibus ibus-setup; do
+    for prog in ibus; do
         wrapProgram "$out/bin/$prog" \
           --set GDK_PIXBUF_MODULE_FILE ${librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache \
           --prefix GI_TYPELIB_PATH : "$GI_TYPELIB_PATH:$out/lib/girepository-1.0" \
diff --git a/pkgs/tools/networking/network-manager-applet/default.nix b/pkgs/tools/networking/network-manager-applet/default.nix
index c0c4950f447..3220aebdfe4 100644
--- a/pkgs/tools/networking/network-manager-applet/default.nix
+++ b/pkgs/tools/networking/network-manager-applet/default.nix
@@ -1,7 +1,8 @@
 { stdenv, fetchurl, intltool, pkgconfig, libglade, networkmanager, gnome3
 , libnotify, libsecret, polkit, isocodes, modemmanager, librsvg
 , mobile_broadband_provider_info, glib_networking, gsettings_desktop_schemas
-, makeWrapper, udev, libgudev, hicolor_icon_theme, jansson, wrapGAppsHook, webkitgtk }:
+, makeWrapper, udev, libgudev, hicolor_icon_theme, jansson, wrapGAppsHook, webkitgtk
+, withGnome ? false }:
 
 stdenv.mkDerivation rec {
   name    = "${pname}-${major}.${minor}";
@@ -24,8 +25,8 @@ stdenv.mkDerivation rec {
   buildInputs = [
     gnome3.gtk libglade networkmanager libnotify libsecret gsettings_desktop_schemas
     polkit isocodes makeWrapper udev libgudev gnome3.gconf gnome3.libgnome_keyring
-    modemmanager jansson librsvg glib_networking gnome3.dconf webkitgtk
-  ];
+    modemmanager jansson librsvg glib_networking gnome3.dconf
+  ] ++ stdenv.lib.optional withGnome webkitgtk;
 
   nativeBuildInputs = [ intltool pkgconfig wrapGAppsHook ];
 
diff --git a/pkgs/tools/security/metasploit/default.nix b/pkgs/tools/security/metasploit/default.nix
index 15a30db522e..37796fef174 100644
--- a/pkgs/tools/security/metasploit/default.nix
+++ b/pkgs/tools/security/metasploit/default.nix
@@ -35,14 +35,14 @@ in stdenv.mkDerivation rec {
 
     cp -r * $out/share/msf
 
-    for i in $out/share/msf/msf*; do
-      bin=$out/bin/$(basename $i)
-      cat > $bin <<EOF
-#!/bin/sh -e
-exec ${env}/bin/bundle exec ${ruby}/bin/ruby $i "\$@"
-EOF
-      chmod +x $bin
-    done
+    (
+      cd $out/share/msf/
+      for i in msf*; do
+        makeWrapper ${env}/bin/bundle $out/bin/$i \
+          --add-flags "exec ${ruby}/bin/ruby $out/share/msf/$i"
+      done
+    )
+
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/tools/security/sshuttle/default.nix b/pkgs/tools/security/sshuttle/default.nix
index 2d663175ec9..960d11521a7 100644
--- a/pkgs/tools/security/sshuttle/default.nix
+++ b/pkgs/tools/security/sshuttle/default.nix
@@ -1,6 +1,6 @@
 { stdenv, python3Packages, fetchurl, makeWrapper, pandoc
-, coreutils, iptables, nettools, openssh, procps }:
-  
+, coreutils, iptables, nettools, openssh, procps, fetchpatch }:
+
 python3Packages.buildPythonApplication rec {
   name = "sshuttle-${version}";
   version = "0.78.3";
@@ -10,7 +10,13 @@ python3Packages.buildPythonApplication rec {
     url = "mirror://pypi/s/sshuttle/${name}.tar.gz";
   };
 
-  patches = [ ./sudo.patch ];
+  patches = [
+    ./sudo.patch
+    (fetchpatch {
+      url = "https://github.com/sshuttle/sshuttle/commit/91aa6ff625f7c89a19e6f8702425cfead44a146f.patch";
+      sha256 = "0sqcc6kj53wlas2d3klbyilhns6vakzwbbp8y7j9wlmbnc530pks";
+    })
+  ];
 
   nativeBuildInputs = [ makeWrapper pandoc python3Packages.setuptools_scm ];
   buildInputs =
@@ -29,7 +35,7 @@ python3Packages.buildPythonApplication rec {
   wrapProgram $out/bin/sshuttle \
     --prefix PATH : "${mapPath (x: "${x}/bin") buildInputs}" \
   '';
-  
+
   meta = with stdenv.lib; {
     homepage = https://github.com/sshuttle/sshuttle/;
     description = "Transparent proxy server that works as a poor man's VPN";
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e8c1c2b3e04..78870b391a0 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -9143,6 +9143,8 @@ with pkgs;
 
   libnfc = callPackage ../development/libraries/libnfc { };
 
+  libnfs = callPackage ../development/libraries/libnfs { };
+
   libnfsidmap = callPackage ../development/libraries/libnfsidmap { };
 
   libnice = callPackage ../development/libraries/libnice { };
@@ -9279,8 +9281,8 @@ with pkgs;
 
   libminc = callPackage ../development/libraries/libminc { };
 
-  libmirage = callPackage ../misc/emulators/cdemu/libmirage.nix { }; 
-  
+  libmirage = callPackage ../misc/emulators/cdemu/libmirage.nix { };
+
   libmkv = callPackage ../development/libraries/libmkv { };
 
   libmms = callPackage ../development/libraries/libmms { };
@@ -12295,22 +12297,6 @@ with pkgs;
       ];
   };
 
-  linux_4_12 = callPackage ../os-specific/linux/kernel/linux-4.12.nix {
-    kernelPatches =
-      [ kernelPatches.bridge_stp_helper
-        kernelPatches.p9_fixes
-        # See pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md
-        # when adding a new linux version
-        kernelPatches.cpu-cgroup-v2."4.11"
-        kernelPatches.modinst_arg_list_too_long
-      ]
-      ++ lib.optionals ((platform.kernelArch or null) == "mips")
-      [ kernelPatches.mips_fpureg_emu
-        kernelPatches.mips_fpu_sigill
-        kernelPatches.mips_ext3_n32
-      ];
-  };
-
   linux_4_13 = callPackage ../os-specific/linux/kernel/linux-4.13.nix {
     kernelPatches =
       [ kernelPatches.bridge_stp_helper
@@ -12520,7 +12506,6 @@ with pkgs;
   linuxPackages_mptcp = linuxPackagesFor pkgs.linux_mptcp;
   linuxPackages_rpi = linuxPackagesFor pkgs.linux_rpi;
   linuxPackages_4_9 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_9);
-  linuxPackages_4_12 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_12);
   linuxPackages_4_13 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_13);
   # Don't forget to update linuxPackages_latest!
 
@@ -13979,10 +13964,10 @@ with pkgs;
 
   inherit (callPackage ../applications/virtualization/docker { })
     docker_17_06
-    docker_17_07;
+    docker_17_09;
 
-  docker = docker_17_06;
-  docker-edge = docker_17_07;
+  docker = docker_17_09;
+  docker-edge = docker_17_09;
 
   docker-proxy = callPackage ../applications/virtualization/docker/proxy.nix { };
 
@@ -15608,7 +15593,9 @@ with pkgs;
 
   scudcloud = callPackage ../applications/networking/instant-messengers/scudcloud { };
 
-  shotcut = libsForQt5.callPackage ../applications/video/shotcut { };
+  shotcut = libsForQt5.callPackage ../applications/video/shotcut {
+    libmlt = mlt;
+  };
 
   smplayer = libsForQt5.callPackage ../applications/video/smplayer { };
 
diff --git a/pkgs/top-level/node-packages-generated.nix b/pkgs/top-level/node-packages-generated.nix
index 432a367d153..3014273e5c3 100644
--- a/pkgs/top-level/node-packages-generated.nix
+++ b/pkgs/top-level/node-packages-generated.nix
@@ -5381,15 +5381,15 @@
     cpu = [ ];
   };
   by-spec."bower2nix"."*" =
-    self.by-version."bower2nix"."3.1.1";
-  by-version."bower2nix"."3.1.1" = self.buildNodePackage {
-    name = "bower2nix-3.1.1";
-    version = "3.1.1";
+    self.by-version."bower2nix"."3.2.0";
+  by-version."bower2nix"."3.2.0" = self.buildNodePackage {
+    name = "bower2nix-3.2.0";
+    version = "3.2.0";
     bin = true;
     src = fetchurl {
-      url = "https://registry.npmjs.org/bower2nix/-/bower2nix-3.1.1.tgz";
-      name = "bower2nix-3.1.1.tgz";
-      sha1 = "wfzj1k6jkfnk1bkgbmpni59mdab8zk3p";
+      url = "https://registry.npmjs.org/bower2nix/-/bower2nix-3.2.0.tgz";
+      name = "bower2nix-3.2.0.tgz";
+      sha1 = "nlzr17lidjf72s60vcsnqpjxgnnsn32s";
     };
     deps = {
       "argparse-1.0.4" = self.by-version."argparse"."1.0.4";
@@ -5410,7 +5410,7 @@
     os = [ ];
     cpu = [ ];
   };
-  "bower2nix" = self.by-version."bower2nix"."3.0.1";
+  "bower2nix" = self.by-version."bower2nix"."3.2.0";
   by-spec."bplist-creator"."0.0.4" =
     self.by-version."bplist-creator"."0.0.4";
   by-version."bplist-creator"."0.0.4" = self.buildNodePackage {
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 1c56fe5f1ab..70c334dda0b 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -3295,6 +3295,8 @@ in {
       sha256 = "d04bb2425086c3fe86f7bc48915290b13e798497839fbb18ab7f6dffcf98cc3a";
     };
 
+    outputs = [ "out" "dev" ];
+
     buildInputs = [ pkgs.openssl self.cryptography_vectors ]
                ++ optional stdenv.isDarwin pkgs.darwin.apple_sdk.frameworks.Security;
     propagatedBuildInputs = with self; [
@@ -7344,19 +7346,18 @@ in {
       sha256 = "0dhbzc4q0vsnv3aihy728aczg56xs6h9s1rmvr096q4lb6yln3w4";
     };
 
-    buildInputs = with self; [
+    checkInputs = with self; [
       docutils
       virtualenv
       webtest
       zope_component
-      zope_interface
-      plaster
-      plaster-pastedeploy
-      hupper
     ] ++ optional isPy26 unittest2;
 
     propagatedBuildInputs = with self; [
+      hupper
       PasteDeploy
+      plaster
+      plaster-pastedeploy
       repoze_lru
       repoze_sphinx_autointerface
       translationstring
@@ -17817,6 +17818,8 @@ in {
       sha256 = "0d283g4zi0hr9papd24mjl70mi15gyzq6fx618rizi87dgipqqax";
     };
 
+    outputs = [ "out" "dev" ];
+
     preCheck = ''
       sed -i 's/test_set_default_verify_paths/noop/' tests/test_ssl.py
       # https://github.com/pyca/pyopenssl/issues/692