diff --git a/dch-repeat b/dch-repeat
new file mode 100755
index 0000000..58b31b2
--- /dev/null
+++ b/dch-repeat
@@ -0,0 +1,168 @@
+#!/usr/bin/perl
+# Copyright 2007, Kees Cook <kees@ubuntu.com>
+# License: GPLv2
+# This script is used to repeat a change log into an older release.  It
+# expects that --build-tree is layed out with each Ubuntu release as a
+# separate directory ("feisty", "edgy", etc).
+#
+# For example, if gimp had a security update prepared for Feisty in
+# $TREE/feisty/gimp-2.2.13, running "dch-repeat" in
+# $TREE/edgy/gimp-2.2.13 would pull in the latest changelog from the Feisty
+# build.
+use strict;
+use warnings;
+use Getopt::Long;
+use Cwd;
+use File::Glob ':glob';
+
+sub Usage
+{
+    print <<EOM;
+Usage: $0 [OPTIONS]
+ --build-tree PATH             Base of build trees
+ -s, --source-release RELEASE  Which release to snag a changelog from
+ --target-release RELEASE      Which release to build into
+ --devel-release RELEASE       Which release is the devel release
+ --pocket POCKET               Which pocket to use
+EOM
+    exit(0);
+}
+
+my @releases = ('dapper', 'edgy', 'feisty', 'gutsy');
+
+#Getopt::Long::Configure("bundling", "no_ignore_case");
+our $opt_build_tree = "/scratch/ubuntu/build";
+our $opt_devel_release = $releases[$#releases];
+our $opt_pocket = undef;
+our $opt_package = undef;
+our $opt_source_release = undef;
+our $opt_target_release = undef;
+
+our $opt_help = undef;
+our $opt_verbose = undef;
+
+Usage() unless (GetOptions(
+    "build-tree=s",
+    "source-release|s=s",
+    "target-release=s",
+    "package|p=s",
+    "help|h",
+    "verbose|v",
+));
+Usage() if ($opt_help);
+
+sub get_changelog($)
+{
+    my ($path) = @_;
+
+    open(LOG,"<$path/debian/changelog") || die "Cannot find changelog for '$path'\n";
+    my $log="";
+    my $line="";
+    # Skip to package name
+    $line = <LOG>;
+    # Collect changelog
+    while ($line=<LOG>) {
+        last if ($line=~/^\S/); # Stop on next changelog entry
+        $log.=$line;
+    }
+    close(LOG);
+    return $log;
+}
+
+sub replace_changelog($)
+{
+    my ($log) = @_;
+    open(LOG,"<debian/changelog") || die "Cannot find changelog\n";
+    open(NEWLOG,">debian/changelog.new") || die "Cannot write changelog\n";
+    my $line;
+    while ($line=<LOG>) {
+        last if ($line =~ /^\s*$/);
+        print NEWLOG $line || die "Changelog write failed: $!\n";
+    }
+    print NEWLOG $log || die "Changelog write failed: $!\n";
+    # Skip log items
+    while ($line=<LOG>) {
+        last if ($line =~ /^\S/);
+    }
+    print NEWLOG $line || die "Changelog write failed: $!\n";
+    while ($line=<LOG>) {
+        print NEWLOG $line || die "Changelog write failed: $!\n";
+    }
+    close(LOG);
+    close(NEWLOG) || die "Changelog close failed: $!\n";
+    rename("debian/changelog.new","debian/changelog") || die "Changelog rename failed: $!\n";
+}
+
+# By default examine Cwd for target release
+if (!defined($opt_target_release)) {
+    my $dir = getcwd;
+    if ($dir =~ m#^$opt_build_tree/([^/]+)/[^/]+$#) {
+        $opt_target_release = $1;
+    }
+    else {
+        die "No --target-release used, or current directory '$dir' outside of --build-tree of '$opt_build_tree'\n";
+    }
+}
+warn "target-release: '$opt_target_release'\n" if ($opt_verbose);
+
+# By default, examine changelog for package
+if (!defined($opt_package)) {
+    chomp($opt_package=`dpkg-parsechangelog | grep ^"Source: " | cut -d" " -f2`);
+    if ($opt_package eq "") {
+        die "Cannot figure out package name from changelog\n";
+    }
+}
+warn "package: '$opt_package\n" if ($opt_verbose);
+
+# By default, take changelog from newer release
+if (!defined($opt_source_release)) {
+    if ($opt_target_release eq $opt_devel_release) {
+        die "No more recent release than '$opt_devel_release' to take changelog from\n";
+    } 
+    foreach my $i (0 .. $#releases) {
+        if ($releases[$i] eq $opt_target_release) {
+            $opt_source_release = $releases[$i+1];
+        }
+    }
+    if (!defined($opt_source_release)) {
+        die "Could not locate a newer release than '$releases[$#releases]'";
+    }
+}
+warn "source-release: '$opt_source_release\n" if ($opt_verbose);
+warn "devel-release: '$opt_devel_release\n" if ($opt_verbose);
+
+# By default, use "security" pocket for non-devel releases
+if (!defined($opt_pocket)) {
+    if ($opt_target_release eq $opt_devel_release) {
+        $opt_pocket = "";
+    }
+    else {
+        $opt_pocket = "security";
+    }
+}
+warn "pocket: '$opt_pocket'\n" if ($opt_verbose);
+
+# Source location
+my @dirs = grep((-d $_),bsd_glob("$opt_build_tree/$opt_source_release/$opt_package-*"));
+if (scalar(@dirs)==0) {
+    die "Cannot find '$opt_build_tree/$opt_source_release/$opt_package-*'\n";
+}
+elsif (scalar(@dirs)>1) {
+    warn "Multiple possible source dirs, using '$dirs[0]'\n";
+}
+warn "source dir: '$dirs[0]'\n" if ($opt_verbose);
+my $log = get_changelog($dirs[0]);
+my $args = "";
+if ($opt_pocket ne "") {
+    $args = "-s -D $opt_target_release-$opt_pocket";
+}
+else {
+    $args = "-i";
+}
+system("dch $args auto-changelog")==0 || die "dch failed: $!\n";
+replace_changelog($log);
+
+# Report!
+system("dpkg-parsechangelog");
+
+exit(0);
diff --git a/mk-sbuild-lv b/mk-sbuild-lv
new file mode 100755
index 0000000..d5f233b
--- /dev/null
+++ b/mk-sbuild-lv
@@ -0,0 +1,264 @@
+#!/bin/bash
+# Script to create LVM snapshot chroots via schroot and sbuild.
+# Much love to "man sbuild-setup", https://wiki.ubuntu.com/PbuilderHowto,
+# and https://help.ubuntu.com/community/SbuildLVMHowto.
+#
+# This script assumes that sbuild has not be installed and configured before.
+#
+# If using schroot earlier than 1.1.4-1, it's a good idea to apply the
+# process-cleaning patch to /etc/schroot/setup.d/10mount.  Without this, any
+# processes left running from the build (like cron, dbus, etc) will stop
+# schroot from umounting and shutting down cleanly:
+#   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391319
+#
+# If using sbuild 0.50 or earlier, and you intend to use the "arch" argument
+# to do i386 builds on amd64, you will need to patch "sbuild" to correctly
+# detect the chroot architecture:
+#   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392992
+#
+# Version: 0.11
+#
+# Copyright 2006-2007, Canonical Ltd, Kees Cook <kees@ubuntu.com>
+# License: GPLv2
+set -e
+
+# Make sure we've got a regular user
+if [ -w /etc/passwd ]; then
+    echo "Please run this script as a regular user, not root." >&2
+    exit 1
+fi
+
+# Perform once-only things to initially set up for using sbuild+schroot+lvm
+if [ ! -w /var/lib/sbuild ]; then
+    # Load all the packages you'll need to do work
+    sudo apt-get install sbuild schroot debootstrap lvm2
+    # Make sure LVM tools that operate on the snapshots have needed module
+    sudo modprobe dm_snapshot
+    sudo bash -c "grep ^dm_snapshot /etc/modules >/dev/null || echo dm_snapshot >> /etc/modules"
+    # Add self to the sbuild group
+    sudo adduser "$USER" sbuild
+
+    # Create some default build/log areas
+    mkdir -p ~/ubuntu/build ~/ubuntu/logs
+    # Prepare a usable default .sbuildrc
+    if [ ! -e ~/.sbuildrc ]; then
+        cat > ~/.sbuildrc <<EOM
+# *** VERIFY AND UPDATE \$mailto and \$maintainer_name BELOW ***
+
+# Mail address where logs are sent to (mandatory, no default!)
+\$mailto = '$USER';
+
+# Name to use as override in .changes files for the Maintainer: field
+# (mandatory, no default!).
+\$maintainer_name='$USER <$USER@localhost>';
+
+# Chroot behaviour; possible values are "split" (apt and dpkg are run
+# from the host system) and "schroot" (all package operations are done in
+# the chroot with schroot, but the chroot must allow networking)
+\$chroot_mode = "schroot";
+
+# Directory for chroot symlinks and sbuild logs.  Defaults to the
+# current directory if unspecified.
+#\$build_dir='$HOME/ubuntu/build';
+
+# Directory for writing build logs to
+\$log_dir="$HOME/ubuntu/logs";
+
+# don't remove this, Perl needs it:
+1;
+EOM
+        sensible-editor ~/.sbuildrc
+    else
+        echo "Your ~/.sbuildrc already exists -- leaving it as-is."
+    fi
+
+    echo '***********************************************'
+    echo '* Before continuing, you MUST restart your    *'
+    echo '* session to gain "sbuild" group permissions! *' 
+    echo '***********************************************'
+    exit 0
+fi
+
+if ! id | fgrep -q '(sbuild)'; then
+    echo "You must be a member of the 'sbuild' group." >&2
+    exit 1
+fi
+
+function usage()
+{
+    echo "Usage: $0 [OPTIONS] VG Release" >&2
+    echo "Options:"
+    echo "  --arch=ARCH    What architecture to select"
+    echo "  --name=NAME    Base name for the schroot (arch is appended)"
+    echo "  --debug        Turn on script debugging"
+    exit 1
+}
+
+
+if [ -z "$1" ]; then
+    usage
+fi
+OPTS=`getopt -o '' --long "help,debug,arch:,name::" -- "$@"`
+eval set -- "$OPTS"
+
+name=""
+while :; do
+    case "$1" in
+        --debug)
+            set -x
+            shift
+            ;;
+        --arch)
+            # By default, use the native architecture.
+            arch_opt="--arch $2"
+            arch_suffix="-$2"
+            shift 2
+            ;;
+        --name)
+            name="$2"
+            shift 2
+            ;;
+        --)
+            shift
+            break
+            ;;
+        --help|*)
+            usage
+            ;;
+     esac
+done
+
+# To build the LV, we need to know which volume group to use, and which
+# release of Ubuntu to debootstrap
+VG="$1"
+RELEASE="$2"
+if [ -z "$VG" ] || [ -z "$RELEASE" ]; then
+    usage
+fi
+
+# By default, name the schroot the same as the release
+if [ -z "$name" ]; then
+    name="$RELEASE"
+fi
+
+# Set up some variables for use in the paths and names
+CHROOT_LV="${name}_chroot${arch_suffix}"
+CHROOT_PATH="/dev/$VG/$CHROOT_LV"
+CHROOT_NAME="${name}${arch_suffix}"
+
+# Does the specified VG exist?  (vgdisplay doesn't set error codes...)
+if [ `sudo vgdisplay -c "$VG" | wc -l` -eq 0 ]; then
+    exit 1 
+fi
+
+# Is the specified release known to debootstrap?
+if [ ! -f "/usr/lib/debootstrap/scripts/$RELEASE" ]; then
+    echo "Specified release not known to debootstrap" >&2
+    exit 1
+else
+    # Look for a buildd variant to work with
+    if [ -f "/usr/lib/debootstrap/scripts/${RELEASE}.buildd" ]; then
+        variant_opt="--variant=buildd"
+    fi
+fi
+
+# Allocate the "golden" chroot LV
+sudo lvcreate -n "$CHROOT_LV" -L 5G "$VG"
+sudo mkfs -t ext3 "$CHROOT_PATH"
+
+# Mount and debootstrap the chroot
+MNT=`mktemp -d -t schroot-XXXXXX`
+sudo mount "$CHROOT_PATH" "$MNT"
+sudo debootstrap $arch_opt $variant_opt "$RELEASE" "$MNT" "${DEBOOTSTRAP_MIRROR:-http://archive.ubuntu.com/ubuntu}"
+# Update the package sources
+TEMP_SOURCES=`mktemp -t sources-XXXXXX`
+TEMPLATE_SOURCES=~/.mk-sbuild-lv.sources
+if [ -r "$TEMPLATE_SOURCES" ]; then
+    cat "$TEMPLATE_SOURCES" > "$TEMP_SOURCES"
+else
+    cat > "$TEMP_SOURCES" <<EOM
+deb http://archive.ubuntu.com/ubuntu RELEASE main restricted universe multiverse
+deb-src http://archive.ubuntu.com/ubuntu RELEASE main restricted universe multiverse
+deb http://archive.ubuntu.com/ubuntu RELEASE-updates main restricted universe multiverse
+deb-src http://archive.ubuntu.com/ubuntu RELEASE-updates main restricted universe multiverse
+deb http://security.ubuntu.com/ubuntu RELEASE-security main restricted universe multiverse
+deb-src http://security.ubuntu.com/ubuntu RELEASE-security main restricted universe multiverse
+EOM
+fi
+cat "$TEMP_SOURCES" | sed -e "s|RELEASE|$RELEASE|g" | \
+    sudo bash -c "cat > $MNT/etc/apt/sources.list"
+rm -f "$TEMP_SOURCES"
+# Copy the timezone (comment this out if you want to leave the chroot at UTC)
+sudo cp /etc/localtime /etc/timezone "$MNT"/etc/
+# Create an LVM-snapshot-based schroot entry for this LV
+TEMP_SCHROOTCONF=`mktemp -t schrootconf-XXXXXX`
+TEMPLATE_SCHROOTCONF=~/.mk-sbuild-lv.schroot.conf
+if [ -r "$TEMPLATE_SCHROOTCONF" ]; then
+    cat "$TEMPLATE_SCHROOTCONF" > "$TEMP_SCHROOTCONF"
+else
+    cat > "$TEMPLATE_SCHROOTCONF" <<EOM
+
+[CHROOT_NAME]
+type=lvm-snapshot
+description=CHROOT_NAME
+priority=3
+groups=sbuild,root,admin
+root-groups=root,sbuild,admin
+source-groups=sbuild,root,admin
+source-root-groups=root,sbuild,admin
+device=CHROOT_PATH
+mount-options=-o noatime
+lvm-snapshot-options=--size 4G
+run-setup-scripts=true
+run-exec-scripts=true
+EOM
+fi
+cat "$TEMP_SCHROOTCONF" | sed \
+        -e "s|CHROOT_NAME|$CHROOT_NAME|g" \
+        -e "s|CHROOT_PATH|$CHROOT_PATH|g" \
+        | \
+        sudo bash -c "cat >> /etc/schroot/schroot.conf"
+rm -f "$TEMP_SCHROOTCONF"
+# Create image finalization script
+BUILD_PKGS="build-essential fakeroot devscripts"
+# Add edgy+ buildd tools
+if [ "$RELEASE" != "breezy" ] && [ "$RELEASE" != "dapper" ]; then
+    BUILD_PKGS="$BUILD_PKGS pkg-create-dbgsym pkgbinarymangler"
+fi
+sudo bash -c "cat >> $MNT/finish.sh" <<EOM
+#!/bin/bash
+#set -x
+set -e
+# Reload package lists
+apt-get update || true
+# Pull down signature requirements
+apt-get -y --force-yes install gnupg ubuntu-keyring
+# Reload package lists
+apt-get update || true
+# Disable debconf questions so that automated builds won't prompt
+echo set debconf/frontend Noninteractive | debconf-communicate
+echo set debconf/priority critical | debconf-communicate
+# Install basic build tool set, trying to match buildd
+apt-get -y install $BUILD_PKGS
+# Set up expected /dev entries
+ln -s /proc/self/fd/0 /dev/stdin
+ln -s /proc/self/fd/1 /dev/stdout
+ln -s /proc/self/fd/2 /dev/stderr
+# Clean up
+apt-get clean
+rm /finish.sh
+EOM
+sudo chmod +x "$MNT"/finish.sh
+sudo umount "$MNT"
+rmdir "$MNT"
+# Run finalization script on the "golden" copy via schroot.
+(cd / && schroot -c "$CHROOT_NAME"-source -u root /finish.sh)
+
+# Finished
+echo ""
+echo "Done building $CHROOT_NAME."
+echo ""
+echo " To UPDATE the golden image: schroot -c ${CHROOT_NAME}-source -u root"
+echo " To ENTER an image snapshot: schroot -c ${CHROOT_NAME}"
+echo " To BUILD within a snapshot: sbuild -d ${CHROOT_NAME} PACKAGE*.dsc"
+echo ""
diff --git a/pull-debian-debdiff b/pull-debian-debdiff
new file mode 100755
index 0000000..8d58e60
--- /dev/null
+++ b/pull-debian-debdiff
@@ -0,0 +1,143 @@
+#!/usr/bin/perl
+# Copyright 2007 Kees Cook <kees@ubuntu.com>
+# License GPLv2
+# This script attempts to find and download a specific version of a Debian
+# package and its immediate parent to generate a debdiff.
+# Requires: devscripts diffstat dpkg-dev
+# Cleanups needed:
+#  - general cleanup
+#  - parse diff.gz/orig.tar.gz from .dsc file instead of guessing version
+use strict;
+use warnings;
+
+sub geturls
+{
+    my ($urlbase,$pkg,$version)=@_;
+    my $file;
+
+    $file = "${pkg}_${version}.dsc";
+    warn "Trying $urlbase/$file ...\n";
+    if (! -r "$file") {
+
+        system("wget $urlbase/$file");
+        return 0 if ($? != 0);
+    }
+
+    warn "Pulling source of $urlbase/$file ...\n";
+
+    $file = "${pkg}_${version}.diff.gz";
+    if (! -r "$file") {
+        system("wget $urlbase/$file");
+        return 0 if ($? != 0);
+    }
+
+    my $orig_ver = $version;
+    $orig_ver =~ s/-.*//;
+
+    $file = "${pkg}_${orig_ver}.orig.tar.gz";
+    if (! -r "$file") {
+        system("wget $urlbase/$file");
+        return 0 if ($? != 0);
+    }
+
+    return 1;
+}
+
+sub generate_base
+{
+    my ($pkg)=@_;
+    
+    my @path;
+    push(@path,"main");
+    if ($pkg =~ /^(lib.)/) {
+        push(@path,$1);
+    }
+    else {
+        push(@path,substr($pkg,0,1));
+    }
+    push(@path,$pkg);
+    return join("/",@path);
+}
+
+sub download_source
+{
+    my ($pkg,$version)=@_;
+    my $urlbase;
+
+    my $base = generate_base($pkg);
+
+    # Attempt to pull from security updates first
+    $urlbase = "http://security.debian.org/pool/updates/$base";
+
+    if (!geturls($urlbase,$pkg,$version)) {
+        # Try regular pool
+
+        $urlbase = "http://ftp.debian.org/debian/pool/$base";
+        if (!geturls($urlbase,$pkg,$version)) {
+            # Try snapshot
+
+            $urlbase=`curl -sI 'http://snapshot.debian.net/package/$pkg/$version' | grep ^[lL]ocation | cut -d' ' -f2 | head -1`;
+            $urlbase =~ s/[\r\n]//g;
+            warn "Trying snapshot location '$urlbase' ...\n";
+
+            if ($urlbase ne "" && !geturls($urlbase,$pkg,$version)) {
+                return 0;
+            }
+        }
+    }
+
+    return 1;
+}
+
+
+
+my $pkg = $ARGV[0];
+my $version = $ARGV[1];
+my $skip = $ARGV[2] || 1;
+$skip+=0;
+
+if (!defined($pkg) || !defined($version)) {
+    die "Usage: $0 PKG VERSION\n";
+}
+
+
+# Extract latest source
+die "Cannot locate $pkg $version\n" unless download_source($pkg,$version);
+system("dpkg-source -x ${pkg}_${version}.dsc");
+die "Unpack of $pkg $version failed\n" unless ($? == 0);
+
+# Locate prior changelog entry
+my $prev_ver;
+my $srcdir;
+opendir(DIR,".");
+while ($srcdir = readdir(DIR)) {
+    last if ($srcdir =~ /^${pkg}-/ && -d $srcdir);
+}
+closedir(DIR);
+die "Cannot locate source tree\n" if (!defined($srcdir));
+open(LOG,"<$srcdir/debian/changelog");
+while (my $line=<LOG>) {
+    if ($line =~ /^$pkg \((?:\d+:)?([^\)]+)\)/) {
+        my $seen = $1;
+        if ($seen ne $version) {
+            $skip--;
+
+            if ($skip==0) {
+                $prev_ver=$seen;
+                last;
+            }
+        }
+    }
+}
+close(LOG);
+die "Cannot find earlier source version\n" if (!defined($prev_ver));
+
+die "Cannot locate $pkg $prev_ver\n" unless download_source($pkg,$prev_ver);
+system("dpkg-source -x ${pkg}_${prev_ver}.dsc");
+die "Unpack of $pkg $prev_ver failed\n" unless ($? == 0);
+
+system("debdiff ${pkg}_${prev_ver}.dsc ${pkg}_${version}.dsc > ${pkg}_${version}.debdiff");
+die "Cannot debdiff\n" unless ($? == 0);
+
+system("diffstat -p0 ${pkg}_${version}.debdiff");
+print "${pkg}_${version}.debdiff\n";
diff --git a/what-patch b/what-patch
new file mode 100755
index 0000000..5236ed7
--- /dev/null
+++ b/what-patch
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Copyright 2006,2007 (C) Kees Cook <kees@ubuntu.com>
+# License: GPLv2
+for filename in $(echo "debian/rules"; grep ^include debian/rules | fgrep -v '$(' | awk '{print $2}')
+do
+    fgrep -q patchsys.mk "$filename" && { echo "cdbs"; exit; }
+    fgrep -q quilt "$filename" && { echo "quilt"; exit; }
+    fgrep -q dbs-build.mk "$filename" && { echo "dbs"; exit; }
+    fgrep -q dpatch "$filename" && { echo "dpatch"; exit; }
+    fgrep -q '*.diff' "$filename" && { echo "diff splash"; exit; }
+done
+[ -d debian/patches ] || { echo "patchless?"; exit; }
+echo "unknown patch system"