diff --git a/nixos/modules/services/networking/dnscrypt-wrapper.nix b/nixos/modules/services/networking/dnscrypt-wrapper.nix
index 85fac660d52..23cc92946e4 100644
--- a/nixos/modules/services/networking/dnscrypt-wrapper.nix
+++ b/nixos/modules/services/networking/dnscrypt-wrapper.nix
@@ -45,7 +45,7 @@ let
   rotateKeys = ''
     # check if keys are not expired
     keyValid() {
-      fingerprint=$(dnscrypt-wrapper --show-provider-publickey-fingerprint | awk '{print $(NF)}')
+      fingerprint=$(dnscrypt-wrapper --show-provider-publickey | awk '{print $(NF)}')
       dnscrypt-proxy --test=${toString (cfg.keys.checkInterval + 1)} \
         --resolver-address=127.0.0.1:${toString cfg.port} \
         --provider-name=${cfg.providerName} \
@@ -56,9 +56,10 @@ let
 
     # archive old keys and restart the service
     if ! keyValid; then
+      echo "certificate soon to become invalid; backing up old cert"
       mkdir -p oldkeys
-      mv ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
-      mv ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
+      mv -v ${cfg.providerName}.key oldkeys/${cfg.providerName}-$(date +%F-%T).key
+      mv -v ${cfg.providerName}.crt oldkeys/${cfg.providerName}-$(date +%F-%T).crt
       systemctl restart dnscrypt-wrapper
     fi
   '';
@@ -169,6 +170,7 @@ in {
 
       path   = with pkgs; [ dnscrypt-wrapper dnscrypt-proxy gawk ];
       script = rotateKeys;
+      serviceConfig.User = "dnscrypt-wrapper";
     };
 
 
diff --git a/pkgs/applications/editors/tiled/default.nix b/pkgs/applications/editors/tiled/default.nix
index 7e8a85cf48a..d1c0ab274f0 100644
--- a/pkgs/applications/editors/tiled/default.nix
+++ b/pkgs/applications/editors/tiled/default.nix
@@ -5,13 +5,13 @@ let
 #  qtEnv = with qt5; env "qt-${qtbase.version}" [ qtbase qttools ];
 in stdenv.mkDerivation rec {
   name = "tiled-${version}";
-  version = "1.0.1";
+  version = "1.0.3";
 
   src = fetchFromGitHub {
     owner = "bjorn";
     repo = "tiled";
     rev = "v${version}";
-    sha256 = "062ja3j84v5s4qslp01gqif8c6i1klkkxpxyyrrvjhxmbyn6nmgd";
+    sha256 = "1j8307h7xkxqwr8rpr9fn1svm5h10k61w6zxr4sgph1hiv8x33aa";
   };
 
   nativeBuildInputs = [ pkgconfig qmake ];
diff --git a/pkgs/applications/graphics/mcomix/default.nix b/pkgs/applications/graphics/mcomix/default.nix
index 20c01f77bbf..318c2caee6f 100644
--- a/pkgs/applications/graphics/mcomix/default.nix
+++ b/pkgs/applications/graphics/mcomix/default.nix
@@ -11,6 +11,10 @@ python27Packages.buildPythonApplication rec {
 
     propagatedBuildInputs = with python27Packages; [ pygtk pillow ];
 
+    postPatch = ''
+      sed -i -e '/test_suite/d' setup.py
+    '';
+
     meta = {
       description = "Image viewer designed to handle comic books";
 
diff --git a/pkgs/applications/graphics/rawtherapee/default.nix b/pkgs/applications/graphics/rawtherapee/default.nix
index 97d04b03622..3edb97e3e20 100644
--- a/pkgs/applications/graphics/rawtherapee/default.nix
+++ b/pkgs/applications/graphics/rawtherapee/default.nix
@@ -3,14 +3,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "5.0-r1";
+  version = "5.2";
   name = "rawtherapee-" + version;
 
   src = fetchFromGitHub {
     owner = "Beep6581";
     repo = "RawTherapee";
-    rev = version + "-gtk3";
-    sha256 = "06v3ir5562yg4zk9z8kc8a7sw7da88193sizjlk74gh5d3smgr4q";
+    rev = version;
+    sha256 = "0i3cr3335bw8yxxzn6kcdx6ccinlnxzrdbgl3ld1kym1w2n5449k";
   };
 
   buildInputs = [
@@ -22,6 +22,7 @@ stdenv.mkDerivation rec {
 
   cmakeFlags = [
     "-DPROC_TARGET_NUMBER=2"
+    "-DCACHE_NAME_SUFFIX=\"\""
   ];
 
   CMAKE_CXX_FLAGS = "-std=c++11 -Wno-deprecated-declarations -Wno-unused-result";
diff --git a/pkgs/applications/window-managers/i3/default.nix b/pkgs/applications/window-managers/i3/default.nix
index c706b5a1928..54dfc08e3b5 100644
--- a/pkgs/applications/window-managers/i3/default.nix
+++ b/pkgs/applications/window-managers/i3/default.nix
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
       sed -i 's/which/command -v/' $program
     done
 
-    install -vD -t $out/share/man/man1 man/*.1
+    install -vD -t $out/share/man/man1 man/*.{1,man}
   '';
 
   separateDebugInfo = true;
diff --git a/pkgs/applications/window-managers/i3/gaps.nix b/pkgs/applications/window-managers/i3/gaps.nix
index f3472be7a72..58ab5b1d676 100644
--- a/pkgs/applications/window-managers/i3/gaps.nix
+++ b/pkgs/applications/window-managers/i3/gaps.nix
@@ -3,12 +3,12 @@
 i3.overrideDerivation (super : rec {
 
   name = "i3-gaps-${version}";
-  version = "4.13";
-  releaseDate = "2016-11-08";
+  version = "4.14";
+  releaseDate = "2017-09-04";
 
   src = fetchurl {
     url = "https://github.com/Airblader/i3/archive/${version}.tar.gz";
-    sha256 = "0w959nx2crn00fckqwb5y78vcr1j9mvq5lh25wyjszx04pjhf378";
+    sha256 = "08y2m0afcm8mbzb92qz286fd1hnqfya2pvhpxbgv83sgjcsg6hlr";
   };
 
   nativeBuildInputs = super.nativeBuildInputs ++ [ autoreconfHook ];
diff --git a/pkgs/development/compilers/go/1.9.nix b/pkgs/development/compilers/go/1.9.nix
index 1a148447c6b..c5d44af2b5b 100644
--- a/pkgs/development/compilers/go/1.9.nix
+++ b/pkgs/development/compilers/go/1.9.nix
@@ -95,9 +95,10 @@ stdenv.mkDerivation rec {
     sed -i 's,/_go_os_test,'"$TMPDIR"'/_go_os_test,' src/os/path_test.go
 
     sed -i '/TestChdirAndGetwd/areturn' src/os/os_test.go
-    sed -i '/TestRead0/areturn' src/os/os_test.go
-    sed -i '/TestNohup/areturn' src/os/signal/signal_test.go
+    sed -i '/TestCredentialNoSetGroups/areturn' src/os/exec/exec_posix_test.go
     sed -i '/TestCurrent/areturn' src/os/user/user_test.go
+    sed -i '/TestNohup/areturn' src/os/signal/signal_test.go
+    sed -i '/TestRead0/areturn' src/os/os_test.go
     sed -i '/TestSystemRoots/areturn' src/crypto/x509/root_darwin_test.go
 
     sed -i '/TestGoInstallRebuildsStalePackagesInOtherGOPATH/areturn' src/cmd/go/go_test.go
@@ -106,7 +107,6 @@ stdenv.mkDerivation rec {
     sed -i '/TestDisasmExtld/areturn' src/cmd/objdump/objdump_test.go
 
     sed -i 's/unrecognized/unknown/' src/cmd/link/internal/ld/lib.go
-    sed -i 's/unrecognized/unknown/' src/cmd/go/build.go
 
     touch $TMPDIR/group $TMPDIR/hosts $TMPDIR/passwd
 
diff --git a/pkgs/development/haskell-modules/configuration-ghc-7.10.x.nix b/pkgs/development/haskell-modules/configuration-ghc-7.10.x.nix
index 18040e9fb3c..656d21c739f 100644
--- a/pkgs/development/haskell-modules/configuration-ghc-7.10.x.nix
+++ b/pkgs/development/haskell-modules/configuration-ghc-7.10.x.nix
@@ -199,6 +199,7 @@ self: super: {
   semigroups = addBuildDepends (dontCheck super.semigroups) (with self; [hashable tagged text unordered-containers]);
   texmath = addBuildDepend super.texmath self.network-uri;
   yesod-auth-oauth2 = overrideCabal super.yesod-auth-oauth2 (drv: { testDepends = (drv.testDepends or []) ++ [ self.load-env self.yesod ]; });
+  natural-transformation = addBuildDepend super.natural-transformation self.semigroups;
   # cereal must have `fail` in pre-ghc-8.0.x versions
   # also tests require bytestring>=0.10.8.1
   cereal = dontCheck (addBuildDepend super.cereal self.fail);
diff --git a/pkgs/development/python-modules/pytest-warnings/default.nix b/pkgs/development/python-modules/pytest-warnings/default.nix
index 6b835abcafe..753250315a3 100644
--- a/pkgs/development/python-modules/pytest-warnings/default.nix
+++ b/pkgs/development/python-modules/pytest-warnings/default.nix
@@ -14,7 +14,7 @@ buildPythonPackage rec {
 
   meta = {
     description = "Plugin to list Python warnings in pytest report";
-    homepage = github.com/fschulze/pytest-warnings;
+    homepage = https://github.com/fschulze/pytest-warnings;
     license = lib.licenses.mit;
   };
 }
diff --git a/pkgs/development/tools/rtags/default.nix b/pkgs/development/tools/rtags/default.nix
index 39ee3179e9c..1825bbe81c3 100644
--- a/pkgs/development/tools/rtags/default.nix
+++ b/pkgs/development/tools/rtags/default.nix
@@ -1,17 +1,12 @@
-{ stdenv, lib, fetchgit, cmake, llvmPackages, openssl, writeScript, apple_sdk, bash, emacs }:
+{ stdenv, lib, fetchgit, cmake, llvmPackages, openssl, writeScript, apple_sdk, bash, emacs, pkgconfig }:
 
 stdenv.mkDerivation rec {
   name = "rtags-${version}";
   version = "2.12";
 
-  buildInputs = [ cmake llvmPackages.llvm openssl llvmPackages.clang emacs ]
+  buildInputs = [ cmake llvmPackages.llvm openssl llvmPackages.clang emacs pkgconfig ]
     ++ lib.optionals stdenv.isDarwin [ apple_sdk.libs.xpc apple_sdk.frameworks.CoreServices ];
 
-  preConfigure = ''
-    export LIBCLANG_CXXFLAGS="-isystem ${llvmPackages.clang.cc}/include $(llvm-config --cxxflags) -fexceptions" \
-           LIBCLANG_LIBDIR="${llvmPackages.clang.cc}/lib"
-  '';
-
 
   src = fetchgit {
     rev = "refs/tags/v${version}";
@@ -25,6 +20,11 @@ stdenv.mkDerivation rec {
     '';
   };
 
+  preConfigure = ''
+    export LIBCLANG_CXXFLAGS="-isystem ${llvmPackages.clang.cc}/include $(llvm-config --cxxflags) -fexceptions" \
+           LIBCLANG_LIBDIR="${llvmPackages.clang.cc}/lib"
+  '';
+
   enableParallelBuilding = true;
 
   meta = {
diff --git a/pkgs/tools/networking/tcpdump/default.nix b/pkgs/tools/networking/tcpdump/default.nix
index 69893f0a832..8dba4b373a3 100644
--- a/pkgs/tools/networking/tcpdump/default.nix
+++ b/pkgs/tools/networking/tcpdump/default.nix
@@ -1,36 +1,22 @@
-{ stdenv, fetchFromGitHub, fetchpatch, libpcap, enableStatic ? false
+{ stdenv, fetchurl, fetchpatch, libpcap, enableStatic ? false
 , hostPlatform
 }:
 
 stdenv.mkDerivation rec {
   name = "tcpdump-${version}";
-  version = "4.9.1";
+  version = "4.9.2";
 
-  src = fetchFromGitHub rec {
-    owner = "the-tcpdump-group";
-    repo = "tcpdump";
-    rev = "${repo}-${version}";
-    sha256 = "1vzrvn1q7x28h18yskqc390y357pzpg5xd3pzzj4xz3llnvsr64p";
+  # leaked embargoed security update
+  src = fetchurl {
+    url = "https://src.fedoraproject.org/lookaside/pkgs/tcpdump/tcpdump-4.9.2.tar.gz/sha512/e1bc19a5867d6e3628f3941bdf3ec831bf13784f1233ca1bccc46aac1702f47ee9357d7ff0ca62cddf211b3c8884488c21144cabddd92c861e32398cd8f7c44b/tcpdump-4.9.2.tar.gz";
+    sha256 = "0ygy0layzqaj838r5xd613iraz09wlfgpyh7pc6cwclql8v3b2vr";
   };
-
-  patches = [
-    (fetchpatch {
-      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11541.patch";
-      sha256 = "1lqg4lbyddnv75wpj0rs2sxz4lb3d1vp8n385i27mrpcxw9qaxia";
-    })
-    (fetchpatch {
-      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11542.patch";
-      sha256 = "0vqgmw9i5vr3d4siyrh8mw60jdmp5r66rbjxfmbnwhlfjf4bwxz4";
-    })
-    (fetchpatch {
-      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11543.patch";
-      sha256 = "1vk9ncpx0qjja8l69xw5kkvgy9fkcii2n98diazv1yndln2cs26l";
-    })
-    (fetchpatch {
-      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-OpenSSL-1.1-segfault.patch";
-      sha256 = "0mw0jdj5nyg4sviqj7wxwf2492b2bdqmjrvf1k34ak417xfcvy1d";
-    })
-  ];
+  # src = fetchFromGitHub rec {
+  #   owner = "the-tcpdump-group";
+  #   repo = "tcpdump";
+  #   rev = "${repo}-${version}";
+  #   sha256 = "1vzrvn1q7x28h18yskqc390y357pzpg5xd3pzzj4xz3llnvsr64p";
+  # };
 
   buildInputs = [ libpcap ];
 
diff --git a/pkgs/top-level/emacs-packages.nix b/pkgs/top-level/emacs-packages.nix
index 5c50fe383bb..4734b51046f 100644
--- a/pkgs/top-level/emacs-packages.nix
+++ b/pkgs/top-level/emacs-packages.nix
@@ -269,8 +269,11 @@ let
 
   rtags = melpaBuild rec {
     pname = "rtags";
-    version = "2.0"; # really, it's some arbitrary git hash
+    version = "2.12";
     src = external.rtags.src;
+
+    configurePhase = ":";
+
     propagatedUserEnvPkgs = [ external.rtags ];
     fileSpecs = [ "src/*.el" ];
     inherit (external.rtags) meta;