45 changed files with 540 additions and 887 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,13 +1,3 @@
 1.3.3 (2023-02-19)
 ------------------
 - testsuite improvements
 1.3.2 (2023-02-16)
 ------------------
 - unshare mode works in privileged docker containers
 1.3.1 (2023-01-20)
 ------------------
--- a/caching_proxy.py
+++ b/caching_proxy.py
@ -1,113 +0,0 @@
 #!/usr/bin/env python3
 import sys
 import os
 import time
 import http.client
 import http.server
 from io import StringIO
 import pathlib
 import urllib.parse
 oldcachedir = None
 newcachedir = None
 readonly = False
 class ProxyRequestHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        assert int(self.headers.get("Content-Length", 0)) == 0
        assert self.headers["Host"]
        pathprefix = "http://" + self.headers["Host"] + "/"
        assert self.path.startswith(pathprefix)
        sanitizedpath = urllib.parse.unquote(self.path.removeprefix(pathprefix))
        oldpath = oldcachedir / sanitizedpath
        newpath = newcachedir / sanitizedpath
        if not readonly:
            newpath.parent.mkdir(parents=True, exist_ok=True)
        # just send back to client
        if newpath.exists():
            print(f"proxy cached: {self.path}", file=sys.stderr)
            self.wfile.write(b"HTTP/1.1 200 OK\r\n")
            self.send_header("Content-Length", newpath.stat().st_size)
            self.end_headers()
            with newpath.open(mode="rb") as new:
                while True:
                    buf = new.read(64 * 1024)  # same as shutil uses
                    if not buf:
                        break
                    self.wfile.write(buf)
            self.wfile.flush()
            return
        if readonly:
            newpath = pathlib.Path("/dev/null")
        # copy from oldpath to newpath and send back to client
        # Only take files from the old cache if they are .deb files or Packages
        # files in the by-hash directory as only those are unique by their path
        # name. Other files like InRelease files have to be downloaded afresh.
        if oldpath.exists() and (
            oldpath.suffix == ".deb" or "by-hash" in oldpath.parts
        ):
            print(f"proxy cached: {self.path}", file=sys.stderr)
            self.wfile.write(b"HTTP/1.1 200 OK\r\n")
            self.send_header("Content-Length", oldpath.stat().st_size)
            self.end_headers()
            with oldpath.open(mode="rb") as old, newpath.open(mode="wb") as new:
                while True:
                    buf = old.read(64 * 1024)  # same as shutil uses
                    if not buf:
                        break
                    self.wfile.write(buf)
                    new.write(buf)
            self.wfile.flush()
            return
        # download fresh copy
        try:
            print(f"\rproxy download: {self.path}", file=sys.stderr)
            conn = http.client.HTTPConnection(self.headers["Host"], timeout=5)
            conn.request("GET", self.path, None, dict(self.headers))
            res = conn.getresponse()
            assert (res.status, res.reason) == (200, "OK"), (res.status, res.reason)
            self.wfile.write(b"HTTP/1.1 200 OK\r\n")
            for k, v in res.getheaders():
                # do not allow a persistent connection
                if k == "connection":
                    continue
                self.send_header(k, v)
            self.end_headers()
            with newpath.open(mode="wb") as f:
                while True:
                    buf = res.read(64 * 1024)  # same as shutil uses
                    if not buf:
                        break
                    self.wfile.write(buf)
                    f.write(buf)
                    time.sleep(64 / 1024)  # 1024 kB/s
            self.wfile.flush()
        except Exception as e:
            self.send_error(502)
 def main():
    global oldcachedir, newcachedir, readonly
    if sys.argv[1] == "--readonly":
        readonly = True
        oldcachedir = pathlib.Path(sys.argv[2])
        newcachedir = pathlib.Path(sys.argv[3])
    else:
        oldcachedir = pathlib.Path(sys.argv[1])
        newcachedir = pathlib.Path(sys.argv[2])
    print(f"starting caching proxy for {newcachedir}", file=sys.stderr)
    httpd = http.server.ThreadingHTTPServer(
        server_address=("", 8080), RequestHandlerClass=ProxyRequestHandler
    )
    httpd.serve_forever()
 if __name__ == "__main__":
    main()
--- a/coverage.py
+++ b/coverage.py
@ -13,14 +13,14 @@ from collections import defaultdict
 from itertools import product
 have_qemu = os.getenv("HAVE_QEMU", "yes") == "yes"
 have_unshare = os.getenv("HAVE_UNSHARE", "yes") == "yes"
 have_binfmt = os.getenv("HAVE_BINFMT", "yes") == "yes"
 run_ma_same_tests = os.getenv("RUN_MA_SAME_TESTS", "yes") == "yes"
 use_host_apt_config = os.getenv("USE_HOST_APT_CONFIG", "no") == "yes"
 cmd = os.getenv("CMD", "./mmdebstrap")
 default_dist = os.getenv("DEFAULT_DIST", "unstable")
 all_dists = ["oldstable", "stable", "testing", "unstable"]
-default_mode = "auto"
+default_mode = "auto" if have_unshare else "root"
 all_modes = ["auto", "root", "unshare", "fakechroot", "chrootless"]
 default_variant = "apt"
 all_variants = [
@ -39,7 +39,7 @@ all_formats = ["auto", "directory", "tar", "squashfs", "ext2", "null"]
 mirror = os.getenv("mirror", "http://127.0.0.1/debian")
 hostarch = subprocess.check_output(["dpkg", "--print-architecture"]).decode().strip()
-release_path = f"./shared/cache/debian/dists/{default_dist}/InRelease"
+release_path = f"./shared/cache/debian/dists/{default_dist}/Release"
 if not os.path.exists(release_path):
    print("path doesn't exist:", release_path, file=sys.stderr)
    print("run ./make_mirror.sh first", file=sys.stderr)
@ -94,7 +94,6 @@ def parse_config(confname):
                    "Skip-If",
                    "Needs-QEMU",
                    "Needs-Root",
                    "Needs-APT-Config",
                ]:
                    print(f"Unknown field name {k} in test {name}")
                    exit(1)
@ -203,7 +202,7 @@ def main():
    args = parser.parse_args()
    # copy over files from git or as distributed
-    for git, dist, target in [
+    for (git, dist, target) in [
        ("./mmdebstrap", "/usr/bin/mmdebstrap", "mmdebstrap"),
        ("./tarfilter", "/usr/bin/mmtarfilter", "tarfilter"),
        (
@ -268,18 +267,18 @@ def main():
            skipreason = skip(test.get("Skip-If"), dist, mode, variant, fmt)
            if skipreason:
                tt = ("skip", skipreason)
            elif (
                test.get("Needs-APT-Config", "false") == "true" and use_host_apt_config
            ):
                tt = ("skip", "test cannot use host apt config")
            elif have_qemu:
                tt = "qemu"
            elif test.get("Needs-QEMU", "false") == "true":
                tt = ("skip", "test needs QEMU")
            elif test.get("Needs-Root", "false") == "true":
                tt = "sudo"
            elif mode == "auto" and not have_unshare:
                tt = "sudo"
            elif mode == "root":
                tt = "sudo"
            elif mode == "unshare" and not have_unshare:
                tt = ("skip", "test needs unshare")
            else:
                tt = "null"
            tests.append((tt, name, dist, mode, variant, fmt))
@ -372,9 +371,7 @@ def main():
                argv = ["./run_null.sh"]
            case ("skip", reason):
                skipped[reason].append(
-                    format_test(
+                    ("(%d/%d) %s" % (i + 1, len(tests), name), dist, mode, variant, fmt)
                        i + 1, len(tests), name, dist, mode, variant, fmt, config_dict
                    )
                )
                print(f"skipped because of {reason}", file=sys.stderr)
                continue
--- a/coverage.sh
+++ b/coverage.sh
@ -22,10 +22,8 @@ if [ -e ./mmdebstrap ]; then
 	perlcritic --severity 4 --verbose 8 ./mmdebstrap
 fi
-for f in tarfilter coverage.py caching_proxy.py; do
+[ -e ./tarfilter ] && black --check ./tarfilter
-	[ -e "./$f" ] || continue
+[ -e ./coverage.py ] && black --check ./coverage.py
 	black --check "./$f"
 done
 shellcheck --exclude=SC2016 coverage.sh make_mirror.sh run_null.sh run_qemu.sh gpgvnoexpkeysig hooks/*/*.sh
@ -53,6 +51,21 @@ if [ "$HAVE_QEMU" = "yes" ]; then
 	fi
 fi
 # check if all required debootstrap tarballs exist
 notfound=0
 for dist in oldstable stable testing unstable; do
 	for variant in minbase buildd -; do
 		if [ ! -e "shared/cache/debian-$dist-$variant.tar" ]; then
 			echo "shared/cache/debian-$dist-$variant.tar does not exist" >&2
 			notfound=1
 		fi
 	done
 done
 if [ "$notfound" -ne 0 ]; then
 	echo "not all required debootstrap tarballs are present" >&2
 	exit 1
 fi
 # choose the timestamp of the unstable Release file, so that we get
 # reproducible results for the same mirror timestamp
 SOURCE_DATE_EPOCH=$(date --date="$(grep-dctrl -s Date -n '' "$mirrordir/dists/$DEFAULT_DIST/Release")" +%s)
@ -60,6 +73,7 @@ SOURCE_DATE_EPOCH=$(date --date="$(grep-dctrl -s Date -n '' "$mirrordir/dists/$D
 # for traditional sort order that uses native byte values
 export LC_ALL=C.UTF-8
 : "${HAVE_UNSHARE:=yes}"
 : "${HAVE_BINFMT:=yes}"
 # by default, use the mmdebstrap executable in the current directory together
@ -67,7 +81,7 @@ export LC_ALL=C.UTF-8
 : "${CMD:=perl -MDevel::Cover=-silent,-nogcov ./mmdebstrap}"
 mirror="http://127.0.0.1/debian"
-export HAVE_QEMU HAVE_BINFMT RUN_MA_SAME_TESTS DEFAULT_DIST SOURCE_DATE_EPOCH CMD mirror
+export HAVE_QEMU HAVE_UNSHARE HAVE_BINFMT RUN_MA_SAME_TESTS DEFAULT_DIST SOURCE_DATE_EPOCH CMD mirror
 ./coverage.py
@ -85,6 +99,8 @@ cover -delete cover_db >&2
 END
 	if [ "$HAVE_QEMU" = "yes" ]; then
 		./run_qemu.sh
 	elif [ "$HAVE_UNSHARE" != "yes" ]; then
 		./run_null.sh SUDO
 	else
 		./run_null.sh
 	fi
@ -94,4 +110,4 @@ END
 	echo
 fi
-rm -f shared/test.sh shared/tar1.txt shared/tar2.txt shared/pkglist.txt shared/doc-debian.tar.list shared/mmdebstrap shared/tarfilter shared/proxysolver
+rm shared/test.sh shared/tar1.txt shared/tar2.txt shared/pkglist.txt shared/doc-debian.tar.list shared/mmdebstrap shared/tarfilter shared/proxysolver
--- a/coverage.txt
+++ b/coverage.txt
@ -1,23 +1,10 @@
 Test: debootstrap
 Dists: any
 Variants: minbase buildd -
 Needs-Root: true
 Needs-APT-Config: true
 Skip-If: variant == "-" and dist == "oldstable" #917773
 Test: check-against-debootstrap-dist
 Dists: any
 Variants: minbase buildd -
 Needs-Root: true
 Needs-APT-Config: true
 Skip-If: variant == "-" and dist == "oldstable" #917773
 Test: as-debootstrap-unshare-wrapper
-Modes: unshare
+Needs-QEMU: true
 Needs-Root: true
 Variants: minbase -
 Needs-APT-Config: true
 Skip-If: variant == "-" and dist == "oldstable" #917773
 Test: help
@ -33,7 +20,6 @@ Needs-Root: true
 Test: dist-using-codename
 Dists: any
 Needs-APT-Config: true
 Test: fail-without-etc-subuid
 Needs-QEMU: true
@ -43,15 +29,12 @@ Needs-QEMU: true
 Test: unshare-as-root-user-inside-chroot
 Needs-Root: true
 Needs-APT-Config: true
 Test: root-mode-inside-chroot
 Needs-Root: true
 Needs-APT-Config: true
 Test: root-mode-inside-unshare-chroot
-Modes: unshare
+Needs-QEMU: true
 Needs-APT-Config: true
 Test: root-without-cap-sys-admin
 Needs-Root: true
@ -59,21 +42,8 @@ Needs-Root: true
 Test: mount-is-missing
 Needs-QEMU: true
 Test: mmdebstrap
 Needs-Root: true
 Modes: root
 Formats: tar squashfs ext2
 Variants: essential apt minbase buildd - standard
 Skip-If:
 variant == "standard" and dist in ["oldstable", "stable"] # #864082, #1004557, #1004558
 variant == "important" and dist == "oldstable" # /var/lib/systemd/catalog/database differs
 fmt == "squashfs" and dist == "oldstable" # squashfs-tools-ng is not available
 fmt == "ext2" and dist == "oldstable" # genext2fs does not support SOURCE_DATE_EPOCH
 mode == "fakechroot" and variant in ["-", "standard"] # no extended attributes
 variant == "standard" and hostarch in ["armel", "armhf", "mipsel"] # #1031276
 Test: check-for-bit-by-bit-identical-format-output
-Modes: unshare fakechroot
+Needs-QEMU: true
 Formats: tar squashfs ext2
 Variants: essential apt minbase buildd - standard
 Skip-If:
@ -81,8 +51,6 @@ Skip-If:
 variant == "important" and dist == "oldstable" # /var/lib/systemd/catalog/database differs
 fmt == "squashfs" and dist == "oldstable" # squashfs-tools-ng is not available
 fmt == "ext2" and dist == "oldstable" # genext2fs does not support SOURCE_DATE_EPOCH
 mode == "fakechroot" and variant in ["-", "standard"] # no extended attributes
 variant == "standard" and hostarch in ["armel", "armhf", "mipsel"] # #1031276
 Test: tarfilter-idshift
 Needs-QEMU: true
@ -106,21 +74,19 @@ Test: missing-device-nodes-outside-the-chroot
 Needs-QEMU: true
 Test: missing-dev-sys-proc-inside-the-chroot
-Modes: unshare
+Needs-QEMU: true
 Variants: custom
 Test: chroot-directory-not-accessible-by-apt-user
 Needs-Root: true
 Test: cwd-directory-not-accessible-by-unshared-user
-Needs-Root: true
+Needs-QEMU: true
 Modes: unshare
 Test: create-gzip-compressed-tarball
 Needs-QEMU: true
 Test: custom-tmpdir
-Needs-Root: true
+Needs-QEMU: true
 Modes: unshare
 Test: xz-compressed-tarball
@ -143,7 +109,6 @@ Test: read-from-stdin-write-to-stdout
 Test: supply-components-manually
 Modes: root
 Needs-Root: true
 Needs-APT-Config: true
 Test: stable-default-mirror
 Needs-QEMU: true
@ -168,23 +133,19 @@ Needs-QEMU: true
 Test: mirror-is-deb
 Test: mirror-is-real-file
 Needs-APT-Config: true
 Test: deb822-1-2
 Modes: root
 Needs-Root: true
 Needs-APT-Config: true
 Test: deb822-2-2
 Modes: root
 Needs-Root: true
 Needs-APT-Config: true
 Test: automatic-mirror-from-suite
 Needs-QEMU: true
 Test: invalid-mirror
 Needs-APT-Config: true
 Test: fail-installing-to-root
 Modes: root
@ -206,14 +167,12 @@ Skip-If:
 Test: include-libmagic-mgc-arm64
 Needs-Root: true
 Needs-APT-Config: true
 Skip-If:
 hostarch != "amd64"
 not run_ma_same_tests
 Test: include-libmagic-mgc-arm64-with-multiple-arch-options
 Needs-Root: true
 Needs-APT-Config: true
 Skip-If:
 hostarch != "amd64"
 not run_ma_same_tests
@ -226,7 +185,6 @@ Needs-QEMU: true
 Test: keyring-overwrites
 Needs-Root: true
 Needs-APT-Config: true
 Test: signed-by-without-host-keys
 Needs-QEMU: true
@ -236,7 +194,6 @@ Needs-QEMU: true
 Test: signed-by-with-host-keys
 Needs-Root: true
 Needs-APT-Config: true
 Test: dpkgopt
 Needs-Root: true
@ -270,14 +227,13 @@ Needs-Root: true
 Test: special-hooks-using-helpers
 Needs-Root: true
 Needs-APT-Config: true
 Test: special-hooks-using-helpers-and-env-vars
 Needs-Root: true
 Needs-APT-Config: true
 Test: special-hooks-with-mode-mode
 Modes: root unshare fakechroot
 Needs-QEMU: true
 Test: debootstrap-no-op-options
 Needs-Root: true
@ -293,7 +249,6 @@ Needs-Root: true
 Test: logfile
 Needs-Root: true
 Needs-APT-Config: true
 Test: without-etc-resolv-conf-and-etc-hostname
 Needs-QEMU: true
@ -319,21 +274,19 @@ Skip-If:
 variant == "important" and dist == "oldstable" # /var/lib/systemd/catalog/database differs
 Test: create-directory-dry-run
 Modes: root
 Test: create-tarball-dry-run
 Variants: any
 Modes: any
 Test: unpack-doc-debian
-Modes: root fakechroot
+Needs-QEMU: true
 Modes: any
 Variants: extract
 Needs-APT-Config: true
 Test: install-doc-debian
 Modes: chrootless
 Variants: custom
 Needs-APT-Config: true
 Test: chrootless
 Variants: essential
@ -345,9 +298,9 @@ Skip-If:
 Test: chrootless-fakeroot
 Variants: essential
 Modes: chrootless
 Needs-QEMU: true
 Skip-If:
 dist in ["oldstable", "stable"]
 hostarch in ["i386", "armel", "armhf", "mipsel"] # #1023286
 Test: chrootless-foreign
 Variants: essential
@ -361,16 +314,12 @@ Needs-QEMU: true
 Test: install-doc-debian-and-output-tarball
 Variants: custom
 Modes: chrootless
 Needs-APT-Config: true
 Test: install-doc-debian-and-test-hooks
 Variants: custom
 Modes: chrootless
 Needs-APT-Config: true
 Test: install-libmagic-mgc-on-arm64
 Variants: custom
 Modes: chrootless
 Skip-If:
 hostarch != "amd64"
 not have_binfmt
@ -390,26 +339,25 @@ Modes: fakechroot
 Test: dev-ptmx
 Modes: root unshare
 Needs-QEMU: true
 Test: error-if-stdout-is-tty
 Test: variant-custom-timeout
 Test: include-deb-file
 Needs-APT-Config: true
 Test: unshare-include-deb
 Modes: unshare
 Needs-QEMU: true
 Test: pivot_root
 Modes: root unshare
-Needs-APT-Config: true
+Needs-QEMU: true
 Test: jessie-or-older
-Needs-Root: true
+Needs-QEMU: true
 Modes: root unshare fakechroot
 Variants: essential apt minbase
 Skip-If: mode == "fakechroot" and hostarch in ["i386", "armel", "armhf", "mipsel"] # #1023286
 Test: apt-patterns
@ -419,8 +367,3 @@ Test: empty-sources.list
 Test: merged-fakechroot-inside-unmerged-chroot
 Needs-Root: true
 Needs-APT-Config: true
 Skip-If: hostarch in ["i386", "armel", "armhf", "mipsel"] # #1023286
 Test: auto-mode-as-normal-user
 Modes: auto
--- a/make_mirror.sh
+++ b/make_mirror.sh
@ -92,11 +92,76 @@ deletecache() {
 }
 cleanup_newcachedir() {
 	kill "$PROXYPID" || :
 	echo "running cleanup_newcachedir"
 	deletecache "$newcachedir"
 }
 get_oldaptnames() {
 	if [ ! -e "$1/$2" ]; then
 		return
 	fi
 	xz -dc "$1/$2" \
 		| grep-dctrl --no-field-names --show-field=Package,Version,Architecture,Filename '' \
 		| paste -sd "    \n" \
 		| while read -r name ver arch fname; do
 			if [ ! -e "$1/$fname" ]; then
 				continue
 			fi
 			# apt stores deb files with the colon encoded as %3a while
 			# mirrors do not contain the epoch at all #645895
 			case "$ver" in *:*) ver="${ver%%:*}%3a${ver#*:}";; esac
 			aptname="$rootdir/var/cache/apt/archives/${name}_${ver}_${arch}.deb"
 			# we have to cp and not mv because other
 			# distributions might still need this file
 			# we have to cp and not symlink because apt
 			# doesn't recognize symlinks
 			cp --link "$1/$fname" "$aptname"
 			echo "$aptname"
 		done
 }
 get_newaptnames() {
 	if [ ! -e "$1/$2" ]; then
 		return
 	fi
 	# skip empty files by trying to uncompress the first byte of the payload
 	if [ "$(xz -dc "$1/$2" | head -c1 | wc -c)" -eq 0 ]; then
 		return
 	fi
 	xz -dc "$1/$2" \
 		| grep-dctrl --no-field-names --show-field=Package,Version,Architecture,Filename,SHA256 '' \
 		| paste -sd "     \n" \
 		| while read -r name ver arch fname hash; do
 			# sanity check for the hash because sometimes the
 			# archive switches the hash algorithm
 			if [ "${#hash}" -ne 64 ]; then
 				echo "expected hash length of 64 but got ${#hash} for: $hash" >&2
 				exit 1
 			fi
 			dir="${fname%/*}"
 			# apt stores deb files with the colon encoded as %3a while
 			# mirrors do not contain the epoch at all #645895
 			case "$ver" in *:*) ver="${ver%%:*}%3a${ver#*:}";; esac
 			aptname="$rootdir/var/cache/apt/archives/${name}_${ver}_${arch}.deb"
 			if [ -e "$aptname" ]; then
 				# make sure that we found the right file by checking its hash
 				echo "$hash  $aptname" | sha256sum --check >&2
 				mkdir -p "$1/$dir"
 				# since we move hardlinks around, the same hardlink might've been
 				# moved already into the same place by another distribution.
 				# mv(1) refuses to copy A to B if both are hardlinks of each other.
 				if [ -e "$aptname" ] && [ -e "$1/$fname" ] && [ "$(stat -c "%d %i" "$aptname")" = "$(stat -c "%d %i" "$1/$fname")" ]; then
 					# both files are already the same so we just need to
 					# delete the source
 					rm "$aptname"
 				else
 					mv "$aptname" "$1/$fname"
 				fi
 				echo "$aptname"
 			fi
 		done
 }
 cleanupapt() {
 	echo "running cleanupapt" >&2
 	if [ ! -e "$rootdir" ]; then
@ -110,11 +175,10 @@ cleanupapt() {
 		"$rootdir/var/lib/dpkg/status" \
 		"$rootdir/var/lib/dpkg/lock-frontend" \
 		"$rootdir/var/lib/dpkg/lock" \
 		"$rootdir/var/lib/apt/lists/lock" \
 		"$rootdir/etc/apt/apt.conf" \
 		"$rootdir/etc/apt/sources.list.d/"* \
 		"$rootdir/etc/apt/preferences.d/"* \
 		"$rootdir/etc/apt/sources.list" \
 		"$rootdir/oldaptnames" \
 		"$rootdir/newaptnames" \
 		"$rootdir/var/cache/apt/archives/lock"; do
 		if [ ! -e "$f" ]; then
 			echo "does not exist: $f" >&2
@ -163,50 +227,35 @@ Apt::Get::Download-Only true;
 Acquire::Languages "none";
 Dir::Etc::Trusted "/etc/apt/trusted.gpg";
 Dir::Etc::TrustedParts "/etc/apt/trusted.gpg.d";
-Acquire::http::Proxy "http://127.0.0.1:8080/";
+Acquire::http::Dl-Limit "1000";
 Acquire::https::Dl-Limit "1000";
 Acquire::Retries "5";
 END
 	: > "$rootdir/var/lib/dpkg/status"
 	if [ "$dist" = "$DEFAULT_DIST" ] && [ "$nativearch" = "$HOSTARCH" ] && [ "$USE_HOST_APT_CONFIG" = "yes" ]; then
 		# we append sources and settings instead of overwriting after
 		# an empty line
 		for f in /etc/apt/sources.list /etc/apt/sources.list.d/*; do
 			[ -e "$f" ] || continue
 			[ -e "$rootdir/$f" ] && echo >> "$rootdir/$f"
 			# Filter out file:// repositories as they are added
 			# to each mmdebstrap call verbatim by
 			# debian/tests/copy_host_apt_config
 			# Also filter out all mirrors that are not of suite
 			# $DEFAULT_DIST, except experimental if the suite
 			# is unstable. This prevents packages from
 			# unstable entering a testing mirror.
 			if [ "$dist" = unstable ]; then
 				grep -v ' file://' "$f" \
 					| grep -E " (unstable|experimental) " \
 					>> "$rootdir/$f" || :
 			else
 				grep -v ' file://' "$f" \
 					| grep " $DEFAULT_DIST " \
 					>> "$rootdir/$f" || :
 			fi
 		done
 		for f in /etc/apt/preferences.d/*; do
 			[ -e "$f" ] || continue
 			[ -e "$rootdir/$f" ] && echo >> "$rootdir/$f"
 			cat "$f" >> "$rootdir/$f"
 		done
 	fi
 	echo "creating mirror for $dist" >&2
 	for f in /etc/apt/sources.list /etc/apt/sources.list.d/* /etc/apt/preferences.d/*; do
 		[ -e "$rootdir/$f" ] || continue
 		echo "contents of $f:" >&2
 		cat "$rootdir/$f" >&2
 	done
 	APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get update
 	# before downloading packages and before replacing the old Packages
 	# file, copy all old *.deb packages from the mirror to
 	# /var/cache/apt/archives so that apt will not re-download *.deb
 	# packages that we already have
 	{
 		get_oldaptnames "$oldmirrordir" "dists/$dist/main/binary-$nativearch/Packages.xz"
 		case "$dist" in oldstable|stable)
 			get_oldaptnames "$oldmirrordir" "dists/$dist-updates/main/binary-$nativearch/Packages.xz"
 			;;
 		esac
 		case "$dist" in
 			oldstable)
 				get_oldaptnames "$oldcachedir/debian-security" "dists/$dist/updates/main/binary-$nativearch/Packages.xz"
 				;;
 			stable)
 				get_oldaptnames "$oldcachedir/debian-security" "dists/$dist-security/main/binary-$nativearch/Packages.xz"
 				;;
 		esac
 	} | sort -u > "$rootdir/oldaptnames"
 	pkgs=$(APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get indextargets \
 		--format '$(FILENAME)' 'Created-By: Packages' "Architecture: $nativearch" \
 		| xargs --delimiter='\n' /usr/lib/apt/apt-helper cat-file \
@ -227,8 +276,73 @@ END
 	# shellcheck disable=SC2086
 	APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get --yes install $pkgs
 	# to be able to also test gpg verification, we need to create a mirror
 	mkdir -p "$newmirrordir/dists/$dist/main/binary-$nativearch/"
 	curl --location "$mirror/dists/$dist/Release" > "$newmirrordir/dists/$dist/Release"
 	curl --location "$mirror/dists/$dist/Release.gpg" > "$newmirrordir/dists/$dist/Release.gpg"
 	curl --location "$mirror/dists/$dist/main/binary-$nativearch/Packages.xz" > "$newmirrordir/dists/$dist/main/binary-$nativearch/Packages.xz"
 	codename=$(awk '/^Codename: / { print $2; }' < "$newmirrordir/dists/$dist/Release")
 	[ -L "$newmirrordir/dists/$codename" ] || ln -s "$dist" "$newmirrordir/dists/$codename"
 	case "$dist" in oldstable|stable)
 		mkdir -p "$newmirrordir/dists/$dist-updates/main/binary-$nativearch/"
 		curl --location "$mirror/dists/$dist-updates/Release" > "$newmirrordir/dists/$dist-updates/Release"
 		curl --location "$mirror/dists/$dist-updates/Release.gpg" > "$newmirrordir/dists/$dist-updates/Release.gpg"
 		curl --location "$mirror/dists/$dist-updates/main/binary-$nativearch/Packages.xz" > "$newmirrordir/dists/$dist-updates/main/binary-$nativearch/Packages.xz"
 		[ -L "$newmirrordir/dists/$codename-updates" ] || ln -s "$dist-updates" "$newmirrordir/dists/$codename-updates"
 		;;
 	esac
 	case "$dist" in
 		oldstable)
 			mkdir -p "$newcachedir/debian-security/dists/$dist/updates/main/binary-$nativearch/"
 			curl --location "$security_mirror/dists/$dist/updates/Release" > "$newcachedir/debian-security/dists/$dist/updates/Release"
 			curl --location "$security_mirror/dists/$dist/updates/Release.gpg" > "$newcachedir/debian-security/dists/$dist/updates/Release.gpg"
 			curl --location "$security_mirror/dists/$dist/updates/main/binary-$nativearch/Packages.xz" > "$newcachedir/debian-security/dists/$dist/updates/main/binary-$nativearch/Packages.xz"
 			;;
 		stable)
 			mkdir -p "$newcachedir/debian-security/dists/$dist-security/main/binary-$nativearch/"
 			curl --location "$security_mirror/dists/$dist-security/Release" > "$newcachedir/debian-security/dists/$dist-security/Release"
 			curl --location "$security_mirror/dists/$dist-security/Release.gpg" > "$newcachedir/debian-security/dists/$dist-security/Release.gpg"
 			curl --location "$security_mirror/dists/$dist-security/main/binary-$nativearch/Packages.xz" > "$newcachedir/debian-security/dists/$dist-security/main/binary-$nativearch/Packages.xz"
 			[ -L "$newcachedir/debian-security/dists/$codename-security" ] || ln -s "$dist-security" "$newcachedir/debian-security/dists/$codename-security"
 			;;
 	esac
 	# the deb files downloaded by apt must be moved to their right locations in the
 	# pool directory
 	#
 	# Instead of parsing the Packages file, we could also attempt to move the deb
 	# files ourselves to the appropriate pool directories. But that approach
 	# requires re-creating the heuristic by which the directory is chosen, requires
 	# stripping the epoch from the filename and will break once mirrors change.
 	# This way, it doesn't matter where the mirror ends up storing the package.
 	{
 		get_newaptnames "$newmirrordir" "dists/$dist/main/binary-$nativearch/Packages.xz";
 		case "$dist" in oldstable|stable)
 			get_newaptnames "$newmirrordir" "dists/$dist-updates/main/binary-$nativearch/Packages.xz"
 			;;
 		esac
 		case "$dist" in
 			oldstable)
 				get_newaptnames "$newcachedir/debian-security" "dists/$dist/updates/main/binary-$nativearch/Packages.xz"
 				;;
 			stable)
 				get_newaptnames "$newcachedir/debian-security" "dists/$dist-security/main/binary-$nativearch/Packages.xz"
 				;;
 		esac
 	} | sort -u > "$rootdir/newaptnames"
 	rm "$rootdir/var/cache/apt/archives/lock"
 	rmdir "$rootdir/var/cache/apt/archives/partial"
 	# remove all packages that were in the old Packages file but not in the
 	# new one anymore
 	comm -23 "$rootdir/oldaptnames" "$rootdir/newaptnames" | xargs --delimiter="\n" --no-run-if-empty rm
 	# now the apt cache should be empty
 	if [ -n "$(ls -1qA "$rootdir/var/cache/apt/archives/")" ]; then
 		echo "$rootdir/var/cache/apt/archives not empty:"
 		ls -la "$rootdir/var/cache/apt/archives/"
 		exit 1
 	fi
 	APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get --option Dir::Etc::SourceList=/dev/null update
 	APT_CONFIG="$rootdir/etc/apt/apt.conf" apt-get clean
@ -283,16 +397,13 @@ security_mirror="http://security.debian.org/debian-security"
 components=main
 : "${DEFAULT_DIST:=unstable}"
 : "${ONLY_DEFAULT_DIST:=no}"
 : "${ONLY_HOSTARCH:=no}"
 : "${HAVE_QEMU:=yes}"
 : "${RUN_MA_SAME_TESTS:=yes}"
 # by default, use the mmdebstrap executable in the current directory
 : "${CMD:=./mmdebstrap}"
 : "${USE_HOST_APT_CONFIG:=no}"
-if [ -e "$oldmirrordir/dists/$DEFAULT_DIST/InRelease" ]; then
+if [ -e "$oldmirrordir/dists/$DEFAULT_DIST/Release" ]; then
-	http_code=$(curl --output /dev/null --silent --location --head --time-cond "$oldmirrordir/dists/$DEFAULT_DIST/InRelease" --write-out '%{http_code}' "$mirror/dists/$DEFAULT_DIST/InRelease")
+	http_code=$(curl --output /dev/null --silent --location --head --time-cond "$oldmirrordir/dists/$DEFAULT_DIST/Release" --write-out '%{http_code}' "$mirror/dists/$DEFAULT_DIST/Release")
 	case "$http_code" in
 		200) ;; # need update
 		304) echo up-to-date; exit 0;;
@ -300,19 +411,6 @@ if [ -e "$oldmirrordir/dists/$DEFAULT_DIST/InRelease" ]; then
 	esac
 fi
 ./caching_proxy.py "$oldcachedir" "$newcachedir" &
 PROXYPID=$!
 for i in $(seq 10); do
 	curl --proxy "http://127.0.0.1:8080/" --silent -o /dev/null "http://deb.debian.org/debian/dists/$DEFAULT_DIST/InRelease" && break
 	sleep 1
 done
 if [ ! -s "$newmirrordir/dists/$DEFAULT_DIST/InRelease" ]; then
 	echo "failed to start proxy" >&2
 	kill $PROXYPID
 	exit 1
 fi
 trap "cleanup_newcachedir" EXIT INT TERM
 mkdir -p "$newcachedir"
@ -326,23 +424,12 @@ elif [ "$HOSTARCH" = arm64 ]; then
 	arches="$arches amd64 armhf"
 fi
-# we need the split_inline_sig() function
+for nativearch in $arches; do
-# shellcheck disable=SC1091
+	for dist in oldstable stable testing unstable; do
 . /usr/share/debootstrap/functions
 for dist in oldstable stable testing unstable; do
 	for nativearch in $arches; do
 		# non-host architectures are only downloaded for $DEFAULT_DIST
 		if [ "$nativearch" != "$HOSTARCH" ] && [ "$DEFAULT_DIST" != "$dist" ]; then
 			continue
 		fi
 		# if ONLY_DEFAULT_DIST is set, only download DEFAULT_DIST
 		if [ "$ONLY_DEFAULT_DIST" = "yes" ] && [ "$DEFAULT_DIST" != "$dist" ]; then
 			continue
 		fi
 		if [ "$ONLY_HOSTARCH" = "yes" ] && [ "$nativearch" != "$HOSTARCH" ]; then
 			continue
 		fi
 		# we need a first pass without updates and security patches
 		# because otherwise, old package versions needed by
 		# debootstrap will not get included
@ -366,20 +453,8 @@ END
 				;;
 		esac
 	done
 	codename=$(awk '/^Codename: / { print $2; }' < "$newmirrordir/dists/$dist/InRelease")
 	ln -s "$dist" "$newmirrordir/dists/$codename"
 	# split the InRelease file into Release and Release.gpg not because apt
 	# or debootstrap need it that way but because grep-dctrl does
 	split_inline_sig \
 		"$newmirrordir/dists/$dist/InRelease" \
 		"$newmirrordir/dists/$dist/Release" \
 		"$newmirrordir/dists/$dist/Release.gpg"
 	touch --reference="$newmirrordir/dists/$dist/InRelease" "$newmirrordir/dists/$dist/Release" "$newmirrordir/dists/$dist/Release.gpg"
 done
 kill $PROXYPID
 # Create some symlinks so that we can trick apt into accepting multiple apt
 # lines that point to the same repository but look different. This is to
 # avoid the warning:
@ -425,25 +500,6 @@ if [ "$HAVE_QEMU" = "yes" ]; then
 			;;
 	esac
 	# we use the caching proxy again when building the qemu image
 	#  - we can re-use the packages that were already downloaded earlier
 	#  - we make sure that the qemu image uses the same Release file even
 	#    if a mirror push happened between now and earlier
 	#  - we avoid polluting the mirror with the additional packages by
 	#    using --readonly
 	./caching_proxy.py --readonly "$oldcachedir" "$newcachedir" &
 	PROXYPID=$!
 	for i in $(seq 10); do
 		curl --proxy "http://127.0.0.1:8080/" --silent -o /dev/null "http://deb.debian.org/debian/dists/$DEFAULT_DIST/InRelease" && break
 		sleep 1
 	done
 	if [ ! -s "$newmirrordir/dists/$DEFAULT_DIST/InRelease" ]; then
 		echo "failed to start proxy" >&2
 		kill $PROXYPID
 		exit 1
 	fi
 	# We must not use any --dpkgopt here because any dpkg options still
 	# leak into the chroot with chrootless mode.
 	# We do not use our own package cache here because
@ -485,12 +541,11 @@ if [ "$HAVE_QEMU" = "yes" ]; then
 		arches=$HOSTARCH
 	fi
 	$CMD --variant=apt --architectures="$arches" --include="$pkgs" \
-		--setup-hook='echo "Acquire::http::Proxy \"http://127.0.0.1:8080/\";" > "$1/etc/apt/apt.conf.d/00proxy"' \
+		--aptopt='Acquire::http::Dl-Limit "1000"' \
-		--customize-hook='rm "$1/etc/apt/apt.conf.d/00proxy"' \
+		--aptopt='Acquire::https::Dl-Limit "1000"' \
 		--aptopt='Acquire::Retries "5"' \
 		"$DEFAULT_DIST" - "$mirror" > "$tmpdir/debian-chroot.tar"
 	kill $PROXYPID
 	cat << END > "$tmpdir/mmdebstrap.service"
 [Unit]
 Description=mmdebstrap worker script
@ -618,6 +673,37 @@ END
 	trap "cleanup_newcachedir" EXIT INT TERM
 fi
 mirror="http://127.0.0.1/debian"
 for dist in oldstable stable testing unstable; do
 	for variant in minbase buildd -; do
 		echo "running debootstrap --variant=$variant $dist \${TEMPDIR} $mirror"
 		cat << END > shared/test.sh
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH
 echo "SOURCE_DATE_EPOCH=\$SOURCE_DATE_EPOCH"
 tmpdir="\$(mktemp -d)"
 chmod 755 "\$tmpdir"
 case "$dist" in
 	oldstable|stable)
 		debootstrap --no-merged-usr --variant=$variant $dist "\$tmpdir" $mirror
 		;;
 	*)
 		debootstrap --merged-usr --variant=$variant $dist "\$tmpdir" $mirror
 		;;
 esac
 tar --sort=name --mtime=@$SOURCE_DATE_EPOCH --clamp-mtime --numeric-owner --one-file-system --xattrs -C "\$tmpdir" -c . > "$newcache/debian-$dist-$variant.tar"
 rm -r "\$tmpdir"
 END
 		if [ "$HAVE_QEMU" = "yes" ]; then
 			cachedir=$newcachedir ./run_qemu.sh
 		else
 			./run_null.sh SUDO
 		fi
 	done
 done
 if [ "$HAVE_QEMU" = "yes" ]; then
 	# now replace the minihttpd config with one that serves the new repository
 	guestfish -a "$newcachedir/debian-$DEFAULT_DIST.qcow" -i <<EOF
--- a/157
+++ b/157
@ -23,7 +23,7 @@
 use strict;
 use warnings;
-our $VERSION = '1.3.3';
+our $VERSION = '1.3.1';
 use English;
 use Getopt::Long;
@ -305,7 +305,6 @@ sub shellescape {
 sub test_unshare_userns {
    my $verbose = shift;
    my $unshare_fail = shift;
    if ($EFFECTIVE_USER_ID == 0) {
        my $msg = "cannot unshare user namespace when executing as root";
        if ($verbose) {
@ -346,11 +345,7 @@ sub test_unshare_userns {
        if (($? >> 8) == 127) {
            my $msg = "cannot find newuidmap";
            if ($verbose) {
                if ($unshare_fail) {
                    error $msg;
                } else {
                warning $msg;
                }
            } else {
                debug $msg;
            }
@ -1341,11 +1336,11 @@ sub setup_mounts {
                  . " /sys directory is missing in the target");
        } elsif ((any { $_ eq $options->{mode} } ('root', 'unshare'))
            && !-e "/sys") {
-            warning("skipping mounting /sys because"
+            warning("skipping bind-mounting /sys because"
                  . " /sys does not exist on the outside");
        } elsif ((any { $_ eq $options->{mode} } ('root', 'unshare'))
            && !-d "/sys") {
-            warning("skipping mounting /sys because"
+            warning("skipping bind-mounting /sys because"
                  . " /sys on the outside is not a directory");
        } elsif ($options->{mode} eq 'root') {
            # we don't know whether we run in root mode inside an unshared
@ -1416,19 +1411,18 @@ sub setup_mounts {
                  . " /proc directory is missing in the target");
        } elsif ((any { $_ eq $options->{mode} } ('root', 'unshare'))
            && !-e "/proc") {
-            warning("skipping mounting /proc because"
+            warning("skipping bind-mounting /proc because"
                  . " /proc does not exist on the outside");
        } elsif ((any { $_ eq $options->{mode} } ('root', 'unshare'))
            && !-d "/proc") {
-            warning("skipping mounting /proc because"
+            warning("skipping bind-mounting /proc because"
                  . " /proc on the outside is not a directory");
-        } elsif (any { $_ eq $options->{mode} } ('root', 'unshare')) {
+        } elsif ($options->{mode} eq 'root') {
            # we don't know whether we run in root mode inside an unshared
            # user namespace or as real root so we first try the real mount and
            # then fall back to mounting in a way that works in unshared
            if (
-                $options->{mode} eq 'root'
+                0 == system(
                && 0 == system(
                    'mount', '-t', 'proc', '-o', 'ro', 'proc',
                    "$options->{root}/proc"
                )
@ -1457,35 +1451,22 @@ sub setup_mounts {
                    0 == system('umount', '--no-mtab', "$options->{root}/proc")
                      or warning("umount /proc failed: $?");
                };
            } elsif (
                # if mounting proc failed, try bind-mounting it read-only as a
                # last resort
                0 == system(
                    'mount', '-o',
                    'rbind', '/proc',
                    "$options->{root}/proc"
                )
            ) {
                warning("since mounting /proc normally failed, /proc is now "
                      . "bind-mounted instead");
                # to make sure that changes (like unmounting) to the
                # bind-mounted /proc do not affect the outside /proc, change
                # all the bind-mounts under /proc to be a slave mount.
                if (
                    0 != system('mount', '--make-rslave',
                        "$options->{root}/proc")) {
                    warning("mount --make-rslave /proc failed");
                }
                push @cleanup_tasks, sub {
                    # since we cannot write to /etc/mtab we need --no-mtab
                    0 == system(
                        'umount', '--no-mtab',
                        '--lazy', "$options->{root}/proc"
                    ) or warning("umount /proc failed: $?");
                };
            } else {
                error "mount /proc failed: $?";
            }
        } elsif ($options->{mode} eq 'unshare') {
            # naturally we have to clean up after ourselves in sudo mode where
            # we do a real mount. But we also need to unmount in unshare mode
            # because otherwise, even with the --one-file-system tar option,
            # the permissions of the mount source will be stored and not the
            # mount target (the directory)
            push @cleanup_tasks, sub {
                # since we cannot write to /etc/mtab we need --no-mtab
                0 == system('umount', '--no-mtab', "$options->{root}/proc")
                  or warning("umount /proc failed: $?");
            };
            0 == system('mount', '-t', 'proc', 'proc', "$options->{root}/proc")
              or error "mount /proc failed: $?";
        } elsif (any { $_ eq $options->{mode} } ('fakechroot', 'chrootless')) {
            # we cannot mount in fakechroot mode
        } else {
@ -4730,7 +4711,7 @@ sub main() {
        );
        close $fh;
        if (    $? == 0
-            and $content =~ /^apt (\d+\.\d+\.\d+)\S* \(\S+\)$/am) {
+            and $content =~ /^apt (\d+\.\d+\.\d+)\w* \(\S+\)$/am) {
            $aptversion = version->new($1);
        }
        if ($aptversion < "2.3.14") {
@ -4816,7 +4797,7 @@ sub main() {
        }
        # ...or we are not root and then we need to be able to unshare the user
        # namespace.
-        if ($EFFECTIVE_USER_ID != 0 && !test_unshare_userns(1, 1)) {
+        if ($EFFECTIVE_USER_ID != 0 && !test_unshare_userns(1)) {
            my $procfile = '/proc/sys/kernel/unprivileged_userns_clone';
            open(my $fh, '<', $procfile)
              or error "failed to open $procfile: $!";
@ -6033,16 +6014,12 @@ sub main() {
    close $nblkwriter;
    if (!$options->{dryrun} && $format eq 'ext2') {
        $numblocks = <$nblkreader>;
-        if (defined $numblocks) {
+        if (!defined $numblocks) {
            chomp $numblocks;
        } else {
            # This can happen if the setup process died early and thus closes
            # the pipe from the other and. The EOF is turned into undef.
-            # we cannot die here because that would skip the cleanup task
+            error "failed to read required number of blocks";
            warning "failed to read required number of blocks";
            $exitstatus = 1;
            $numblocks  = -1;
        }
        chomp $numblocks;
    }
    close $nblkreader;
@ -6371,26 +6348,13 @@ Example: Minimizing the number of packages installed from experimental
 =item B<--keyring>=I<file>|I<directory>
-Change the default keyring to use by apt during the initial setup. This is
+Change the default keyring to use by apt. By default, F</etc/apt/trusted.gpg>
-similar to setting B<Dir::Etc::Trusted> and B<Dir::Etc::TrustedParts> using
+and F</etc/apt/trusted.gpg.d> are used. Depending on whether a file or
-B<--aptopt> except that the latter setting will be permanently stored in the
+directory is passed to this option, the former and latter default can be
-chroot while the keyrings passed via <--keyring> will only be visible to apt as
+changed, respectively.  Since apt only supports a single keyring file and
-run by B<mmdebstrap>. Do not use B<--keyring> if apt inside the chroot needs to
+directory, respectively, you can B<not> use this option to pass multiple files
-know about your keys after the initial chroot creation by B<mmdebstrap>. This
+and/or directories. Using the C<--keyring> argument in the following way is
-option is mainly intended for users who use B<mmdebstrap> as a B<deboostrap>
+equal to keeping the default:
 drop-in replacement. As such, it is probably not what you want to use if you
 use B<mmdebstrap> with more than a single mirror unless you pass it a directory
 containing all the keyrings you need.
 By default, the local setting of B<Dir::Etc::Trusted> and
 B<Dir::Etc::TrustedParts> are used to choose the keyring used by apt as run by
 B<mmdebstrap>. These two locations are set to F</etc/apt/trusted.gpg> and
 F</etc/apt/trusted.gpg.d> by default. Depending on whether a file or directory
 is passed to this option, the former and latter default can be changed,
 respectively.  Since apt only supports a single keyring file and directory,
 respectively, you can B<not> use this option to pass multiple files and/or
 directories. Using the C<--keyring> argument in the following way is equal to
 keeping the default:
    --keyring=/etc/apt/trusted.gpg --keyring=/etc/apt/trusted.gpg.d
@ -6399,10 +6363,6 @@ specifying the mirror like this:
    mmdebstrap mysuite out.tar "deb [signed-by=/path/to/key.gpg] http://..."
 Another reason to use C<signed-by> instead of B<--keyring> is if apt inside the
 chroot needs to know by what key the repository is signed even after the
 initial chroot creation.
 The C<signed-by> option will automatically be added to the final
 C<sources.list> if the keyring required for the selected I<SUITE> is not yet
 trusted by apt. Automatically adding the C<signed-by> option in these cases
@ -6414,13 +6374,6 @@ installed, then you can create a Ubuntu Bionic chroot on Debian like this:
 The resulting chroot will have a C<source.list> with a C<signed-by> option
 pointing to F</usr/share/keyrings/ubuntu-archive-keyring.gpg>.
 You do not need to use B<--keyring> or C<signed-by> if you placed the keys that
 apt needs to know about into F</etc/apt/trusted.gpg.d> in the B<--setup-hook>
 (which is before C<apt update> runs), for example by using the <copy-in>
 special hook. You also need to copy your keys into the chroot explicitly if the
 key you passed via C<signed-by> points to a location that is not otherwise
 populated during chroot creation (for example by installing a keyring package).
 =item B<--dpkgopt>=I<option>|I<file>
 Pass arbitrary I<option>s to dpkg. Will be permanently added to
@ -6481,16 +6434,16 @@ comma or whitespace.
 =item B<--components>=I<comp1>[,I<comp2>,...]
-Comma or whitespace separated list of components like main, contrib, non-free
+Comma or whitespace separated list of components like main, contrib and
-and non-free-firmware which will be used for all URI-only I<MIRROR> arguments.
+non-free which will be used for all URI-only I<MIRROR> arguments. The option
-The option can be specified multiple times and the components are concatenated
+can be specified multiple times and the components are concatenated in the
-in the order in which they are given on the command line. If later list items
+order in which they are given on the command line. If later list items are
-are repeated, then they get dropped so that the resulting component list is
+repeated, then they get dropped so that the resulting component list is free
-free of duplicates. So the following are equivalent:
+of duplicates. So the following are equivalent:
-    --components="main contrib non-free non-free-firmware"
+    --components="main contrib non-free"
-    --components=main,contrib,non-free,non-free-firmware
+    --components=main,contrib,non-free
-    --comp=main --comp="contrib non-free" --comp="main,non-free-firmware"
+    --comp=main --comp="contrib non-free" --comp="main,non-free"
 =item B<--architectures>=I<native>[,I<foreign1>,...]
@ -6682,30 +6635,14 @@ needs to be able to mount and thus requires C<SYS_CAP_ADMIN>.
 =item B<unshare>
-When used as a normal (not root) user, this mode uses Linux user namespaces to
+This mode uses Linux user namespaces to allow unprivileged use of chroot and
-allow unprivileged use of chroot and creation of files that appear to be owned
+creation of files that appear to be owned by the superuser inside the unshared
-by the superuser inside the unshared namespace. A tarball created in this mode
+namespace. A tarball created in this mode should be bit-by-bit identical to a
-will be bit-by-bit identical to a tarball created with the B<root> mode. With
+tarball created with the B<root> mode.
 this mode, the only binaries that will run as the root user will be
 B<newuidmap(1)> and B<newgidmap(1)> via their setuid bit. Running those
 successfully requires F</etc/subuid> and F</etc/subgid> to have an entry for
 your username. This entry was usually created by B<adduser(8)> already.
 The unshared user will not automatically have access to the same files as you
 do. This is intentional and an additional security against unintended changes
 to your files that could theoretically result from running B<mmdebstrap> and
 package maintainer scripts. To copy files in and out of the chroot, either use
 globally readable or writable directories or use special hooks like B<copy-in>
 and B<copy-out>.
 Besides the user namespace, the mount, pid (process ids), uts (hostname) and
 ipc namespaces will be unshared as well. See the man pages of B<namespaces(7)>
 and B<unshare(2)> as well as the manual pages they are linking to.
 A directory chroot created with this mode will end up with wrong ownership
-information (seen from outside the unshared user namespace). For correct
+information. For correct ownership information, the directory must be accessed
-ownership information, the directory must be accessed from a user namespace
+from a user namespace with the right subuid/subgid offset, like so:
 with the right subuid/subgid offset, like so:
    $ lxc-usernsexec -- lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \
    > /usr/sbin/chroot ./debian-rootfs /bin/bash
--- a/6
+++ b/6
@ -178,14 +178,14 @@ Lastly, shift user id and group id of each entry by the value given by the
        skip = False
        if not hasattr(args, "pathfilter"):
            return False
-        for t, r in args.pathfilter:
+        for (t, r) in args.pathfilter:
            if r.match(member.name[1:]) is not None:
                if t == "path_include":
                    skip = False
                else:
                    skip = True
        if skip and (member.isdir() or member.issym()):
-            for t, r in args.pathfilter:
+            for (t, r) in args.pathfilter:
                if t != "path_include":
                    continue
                prefix = prefix_prog.sub(r"\1", r.pattern)
@ -198,7 +198,7 @@ Lastly, shift user id and group id of each entry by the value given by the
        if not hasattr(args, "paxfilter"):
            return False
        skip = False
-        for t, r in args.paxfilter:
+        for (t, r) in args.paxfilter:
            if r.match(header) is None:
                continue
            if t == "pax_include":
--- a/tests/as-debootstrap-unshare-wrapper
+++ b/tests/as-debootstrap-unshare-wrapper
@ -2,58 +2,18 @@
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
-
+if [ ! -e /mmdebstrap-testenv ]; then
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
 # debootstrap uses apt-config to figure out whether the system running it has
 # any proxies configured and then runs the binary to set the http_proxy
 # environment variable. This will fail if debootstrap is run in a linux user
 # namespace because auto-apt-proxy will see /tmp/.auto-apt-proxy-0 as being
 # owned by the user "nobody" and group "nogroup" and fail with:
 #   insecure cache dir /tmp/.auto-apt-proxy-0. Must be owned by UID 0 and have permissions 700
 # We cannot overwrite a configuration item using the APT_CONFIG environment
 # variable, so instead we use it to set the Dir configuration option
 # to /dev/null to force all apt settings to their defaults.
 # There is currently no better way to disable this behavior. See also:
 # https://bugs.debian.org/1031105
 # https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/90
 AUTOPROXY=
 eval "$(apt-config shell AUTOPROXY Acquire::http::Proxy-Auto-Detect)"
 if [ -n "$AUTOPROXY" ] && [ -x "$AUTOPROXY" ] && [ -e /tmp/.auto-apt-proxy-0 ]; then
 	TMP_APT_CONFIG=$(mktemp)
 	echo "Dir \"/dev/null\";" > "$TMP_APT_CONFIG"
 	chmod 644 "$TMP_APT_CONFIG"
 fi
 # debootstrap runs mount -t proc proc /proc which doesn't work in an unshared
 # namespace on privileged docker (like salsaci), so mount /proc manually
 # https://bugs.debian.org/1031222
 # https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/91
 $prefix {{ CMD }} --variant=custom --mode={{ MODE }} \
 	--setup-hook='env '"${AUTOPROXY:+APT_CONFIG='$TMP_APT_CONFIG'}"' container=lxc debootstrap --variant={{ VARIANT }} unstable "$1" {{ MIRROR }}' \
 	--setup-hook='mount -o rbind /proc "$1/proc"' \
 	--setup-hook='chroot "$1" dpkg-reconfigure systemd || true' \
 	--setup-hook='umount --lazy "$1/proc"' \
 	- /tmp/debian-mm.tar {{ MIRROR }}
 if [ -n "$AUTOPROXY" ] && [ -x "$AUTOPROXY" ] && [ -e /tmp/.auto-apt-proxy-0 ]; then
 	rm "$TMP_APT_CONFIG"
 fi
 useradd --home-dir /home/user --create-home user
 runuser -u user -- {{ CMD }} --variant=custom --mode=unshare --setup-hook='env container=lxc debootstrap unstable "$1" {{ MIRROR }}' - /tmp/debian-mm.tar {{ MIRROR }}
 mkdir /tmp/debian-mm
 tar --xattrs --xattrs-include='*' -C /tmp/debian-mm -xf /tmp/debian-mm.tar
 mkdir /tmp/debian-debootstrap
-tar --xattrs --xattrs-include='*' -C /tmp/debian-debootstrap -xf "cache/debian-unstable-{{ VARIANT }}.tar"
+tar --xattrs --xattrs-include='*' -C /tmp/debian-debootstrap -xf "cache/debian-unstable--.tar"
 # diff cannot compare device nodes, so we use tar to do that for us and then
 # delete the directory
@ -78,23 +38,18 @@ find /tmp/debian-debootstrap/run/ -mindepth 1 -maxdepth 1 ! -name lock -print0 |
 # debootstrap doesn't clean apt
 rm /tmp/debian-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_unstable_main_binary-{{ HOSTARCH }}_Packages \
 	/tmp/debian-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_unstable_InRelease \
 	/tmp/debian-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_unstable_Release \
 	/tmp/debian-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_unstable_Release.gpg
-if [ -e /tmp/debian-debootstrap/etc/machine-id ]; then
+rm /tmp/debian-debootstrap/etc/machine-id /tmp/debian-mm/etc/machine-id
 	rm /tmp/debian-debootstrap/etc/machine-id /tmp/debian-mm/etc/machine-id
 fi
 rm /tmp/debian-mm/var/cache/apt/archives/lock
 rm /tmp/debian-mm/var/lib/apt/lists/lock
 rm /tmp/debian-mm/var/lib/dpkg/arch
 # workaround for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917773
 # also needed for users that are created by systemd-sysusers before systemd 252
 # https://github.com/systemd/systemd/pull/24534
 for f in shadow shadow-; do
 	if [ ! -e /tmp/debian-debootstrap/etc/$f ]; then
 		continue
 	fi
 	if ! cmp /tmp/debian-debootstrap/etc/$f /tmp/debian-mm/etc/$f >&2; then
 		echo patching /etc/$f >&2
 		awk -v FS=: -v OFS=: -v SDE={{ SOURCE_DATE_EPOCH }} '{ print $1,$2,int(SDE/60/60/24),$4,$5,$6,$7,$8,$9 }' < /tmp/debian-mm/etc/$f > /tmp/debian-mm/etc/$f.bak
--- a/tests/auto-mode-as-normal-user
+++ b/tests/auto-mode-as-normal-user
@ -1,22 +0,0 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -f /tmp/debian-chroot.tar.gz" EXIT INT TERM
 [ {{ MODE }} = "auto" ]
 prefix=
 if [ "$(id -u)" -eq 0 ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 			echo "this test modifies the system and should only be run inside a container" >&2
 			exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
 $prefix {{ CMD }} --mode={{ MODE }} --variant=apt {{ DIST }} /tmp/debian-chroot.tar.gz {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar.gz | sort | diff -u tar1.txt -
--- a/tests/check-against-debootstrap-dist
+++ b/tests/check-against-debootstrap-dist
@ -96,7 +96,6 @@ fi
 find /tmp/debian-{{ DIST }}-debootstrap/run/ -mindepth 1 -maxdepth 1 ! -name lock -print0 | xargs --no-run-if-empty -0 rm -r
 # debootstrap doesn't clean apt
 rm /tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_main_binary-{{ HOSTARCH }}_Packages \
 	/tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_InRelease \
 	/tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_Release \
 	/tmp/debian-{{ DIST }}-debootstrap/var/lib/apt/lists/127.0.0.1_debian_dists_{{ DIST }}_Release.gpg
@ -183,6 +182,23 @@ if [ "{{ VARIANT }}" = "-" ]; then
 	esac
 fi
 # workaround for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917773
 case {{ DIST }} in oldstable|stable)
 for f in shadow shadow-; do
 	if [ ! -e /tmp/debian-{{ DIST }}-mm/etc/$f ]; then
 		continue
 	fi
 	if ! cmp /tmp/debian-{{ DIST }}-debootstrap/etc/$f /tmp/debian-{{ DIST }}-mm/etc/$f >&2; then
 		echo patching /etc/$f on {{ DIST }} {{ VARIANT }} >&2
 		awk -v FS=: -v OFS=: -v SDE={{ SOURCE_DATE_EPOCH }} '{ print $1,$2,int(SDE/60/60/24),$4,$5,$6,$7,$8,$9 }' < /tmp/debian-{{ DIST }}-mm/etc/$f > /tmp/debian-{{ DIST }}-mm/etc/$f.bak
 		cat /tmp/debian-{{ DIST }}-mm/etc/$f.bak > /tmp/debian-{{ DIST }}-mm/etc/$f
 		rm /tmp/debian-{{ DIST }}-mm/etc/$f.bak
 	else
 		echo no difference for /etc/$f on {{ DIST }} {{ VARIANT }} >&2
 	fi
 done;;
 esac
 # check if the file content differs
 diff --unified --no-dereference --recursive /tmp/debian-{{ DIST }}-debootstrap /tmp/debian-{{ DIST }}-mm >&2
--- a/tests/check-for-bit-by-bit-identical-format-output
+++ b/tests/check-for-bit-by-bit-identical-format-output
@ -1,21 +1,36 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
+if [ ! -e /mmdebstrap-testenv ]; then
 trap "rm -f /tmp/debian-chroot-{{ MODE }}.{{ FORMAT }}" EXIT INT TERM
 if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 	fi
 	useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 fi
-runuser -u "${SUDO_USER:-user}" -- {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} {{ DIST }} /tmp/debian-chroot-{{ MODE }}.{{ FORMAT }} {{ MIRROR }}
+useradd --home-dir /home/user --create-home user
-cmp ./cache/mmdebstrap-{{ DIST }}-{{ VARIANT }}.{{ FORMAT }} /tmp/debian-chroot-{{ MODE }}.{{ FORMAT }} \
+export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
-	|| diffoscope ./cache/mmdebstrap-{{ DIST }}-{{ VARIANT }}.{{ FORMAT }} /tmp/debian-chroot-{{ MODE }}.{{ FORMAT }}
+{{ CMD }} --mode=root --variant={{ VARIANT }} {{ DIST }} /tmp/debian-chroot-root.{{ FORMAT }} {{ MIRROR }}
-
+if [ "{{ FORMAT }}" = tar ]; then
 	printf 'ustar ' | cmp --bytes=6 --ignore-initial=257:0 /tmp/debian-chroot-root.tar -
 elif [ "{{ FORMAT }}" = squashfs ]; then
 	printf 'hsqs' | cmp --bytes=4 /tmp/debian-chroot-root.squashfs -
 elif [ "{{ FORMAT }}" = ext2 ]; then
 	printf '\123\357' | cmp --bytes=2 --ignore-initial=1080:0 /tmp/debian-chroot-root.ext2 -
 else
 	echo "unknown format: {{ FORMAT }}" >&2
 	exit 1
 fi
 runuser -u user -- {{ CMD }} --mode=unshare --variant={{ VARIANT }} {{ DIST }} /tmp/debian-chroot-unshare.{{ FORMAT }} {{ MIRROR }}
 cmp /tmp/debian-chroot-root.{{ FORMAT }} /tmp/debian-chroot-unshare.{{ FORMAT }}
 rm /tmp/debian-chroot-unshare.{{ FORMAT }}
 case {{ VARIANT }} in essential|apt|minbase|buildd)
 	# variants important and standard differ because permissions drwxr-sr-x
 	# and extended attributes of ./var/log/journal/ cannot be preserved
 	# in fakechroot mode
 	runuser -u user -- {{ CMD }} --mode=fakechroot --variant={{ VARIANT }} {{ DIST }} /tmp/debian-chroot-fakechroot.{{ FORMAT }} {{ MIRROR }}
 	cmp /tmp/debian-chroot-root.{{ FORMAT }} /tmp/debian-chroot-fakechroot.{{ FORMAT }}
 	rm /tmp/debian-chroot-fakechroot.{{ FORMAT }}
 	;;
 esac
 # we cannot test chrootless mode here, because mmdebstrap relies on the
 # usrmerge package to set up merged-/usr and that doesn't work in chrootless
 # mode
 rm /tmp/debian-chroot-root.{{ FORMAT }}
--- a/tests/chrootless
+++ b/tests/chrootless
@ -11,6 +11,6 @@ for INCLUDE in '' 'apt' 'apt,build-essential' 'systemd-sysv'; do
 			${INCLUDE:+--include="$INCLUDE"} \
 			{{ DIST }} "/tmp/$MODE.tar" {{ MIRROR }}
 	done
-	cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
+	cmp /tmp/root.tar /tmp/chrootless.tar
 	rm /tmp/chrootless.tar /tmp/root.tar
 done
--- a/tests/chrootless-fakeroot
+++ b/tests/chrootless-fakeroot
@ -3,21 +3,15 @@ set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
 trap "rm -f /tmp/chrootless.tar /tmp/root.tar" EXIT INT TERM
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 [ {{ MODE }} = chrootless ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
 [ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 # we need --hook-dir=./hooks/merged-usr because usrmerge does not understand
 # DPKG_ROOT
 # permissions drwxr-sr-x and extended attributes of ./var/log/journal/ cannot
@ -27,9 +21,9 @@ for INCLUDE in '' 'apt' 'apt,build-essential' 'systemd-sysv'; do
 		--customize-hook='if [ -d "$1"/var/log/journal ]; then rmdir "$1"/var/log/journal; mkdir --mode=2755 "$1"/var/log/journal; chroot "$1" chown root:systemd-journal /var/log/journal; fi' \
 		${INCLUDE:+--include="$INCLUDE"} \
 		{{ DIST }} /tmp/root.tar {{ MIRROR }}
-	$prefix fakeroot {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --hook-dir=./hooks/merged-usr \
+	$prefix fakeroot {{ CMD }} --mode=chrootless --variant={{ VARIANT }} --hook-dir=./hooks/merged-usr \
 		${INCLUDE:+--include="$INCLUDE"} \
 		{{ DIST }} /tmp/chrootless.tar {{ MIRROR }}
-	cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
+	cmp /tmp/root.tar /tmp/chrootless.tar
 	rm /tmp/chrootless.tar /tmp/root.tar
 done
--- a/tests/chrootless-foreign
+++ b/tests/chrootless-foreign
@ -63,6 +63,6 @@ for INCLUDE in '' 'apt' 'systemd-sysv'; do
 			> "/tmp/$tar.tar.tmp"
 		mv "/tmp/$tar.tar.tmp" "/tmp/$tar.tar"
 	done
-	cmp /tmp/root.tar /tmp/chrootless.tar || diffoscope /tmp/root.tar /tmp/chrootless.tar
+	cmp /tmp/root.tar /tmp/chrootless.tar
 	rm /tmp/chrootless.tar /tmp/root.tar
 done
--- a/tests/create-arm64-tarball
+++ b/tests/create-arm64-tarball
@ -1,19 +1,15 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
 [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && prefix="runuser -u user --"
 [ "{{ MODE }}" = "fakechroot" ] && prefix="$prefix fakechroot fakeroot"
 $prefix {{ CMD }} --mode={{ MODE }} --variant=apt --architectures=arm64 {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 # we ignore differences between architectures by ignoring some files
--- a/tests/create-directory
+++ b/tests/create-directory
@ -1,9 +1,7 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -rf /tmp/debian-chroot" EXIT INT TERM
 {{ CMD }} --mode=root --variant=apt {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 chroot /tmp/debian-chroot dpkg-query --showformat '${binary:Package}\n' --show > pkglist.txt
 tar -C /tmp/debian-chroot --one-file-system -c . | tar -t | sort > tar1.txt
 rm -r /tmp/debian-chroot
--- a/tests/create-gzip-compressed-tarball
+++ b/tests/create-gzip-compressed-tarball
@ -1,20 +1,12 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ ! -e /mmdebstrap-testenv ]; then
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+useradd --home-dir /home/user --create-home user
-$prefix {{ CMD }} --mode={{ MODE }} --variant=apt {{ DIST }} /tmp/debian-chroot.tar.gz {{ MIRROR }}
+runuser -u user -- {{ CMD }} --mode=unshare --variant=apt {{ DIST }} /tmp/debian-chroot.tar.gz {{ MIRROR }}
 printf '\037\213\010' | cmp --bytes=3 /tmp/debian-chroot.tar.gz -
 tar -tf /tmp/debian-chroot.tar.gz | sort | diff -u tar1.txt -
 rm /tmp/debian-chroot.tar.gz
--- a/tests/create-tarball-dry-run
+++ b/tests/create-tarball-dry-run
@ -8,14 +8,15 @@ export LC_ALL=C.UTF-8
 prefix=
 include=,
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != root ] && [ "{{ MODE }}" != auto ]; then
-	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
+	# this must be qemu
 	if ! id -u user >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 			echo "this test modifies the system and should only be run inside a container" >&2
 			exit 1
 		fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+		useradd --home-dir /home/user --create-home user
 	fi
-	prefix="runuser -u ${SUDO_USER:-user} --"
+	prefix="runuser -u user --"
 	if [ "{{ VARIANT }}" = extract ] || [ "{{ VARIANT }}" = custom ]; then
 		include="$(tr '\n' ',' < pkglist.txt)"
 	fi
--- a/tests/custom-tmpdir
+++ b/tests/custom-tmpdir
@ -1,33 +1,25 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ ! -e /mmdebstrap-testenv ]; then
 [ "$(id -u)" -eq 0 ]
 [ {{ MODE }} = "unshare" ]
 if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 	fi
 	useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 fi
 prefix="runuser -u ${SUDO_USER:-user} --"
 # https://www.etalabs.net/sh_tricks.html
 quote () { printf %s\\n "$1" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/" ; }
-homedir=$($prefix sh -c 'cd && pwd')
+useradd --home-dir /home/user --create-home user
 homedir=$(runuser -u user -- sh -c 'cd && pwd')
 # apt:test/integration/test-apt-key
 TMPDIR_ADD="This is fü\$\$ing cràzy, \$(apt -v)\$!"
-$prefix mkdir "$homedir/$TMPDIR_ADD"
+runuser -u user -- mkdir "$homedir/$TMPDIR_ADD"
 # make sure the unshared user can traverse into the TMPDIR
 chmod 711 "$homedir"
 # set permissions and sticky bit like the real /tmp
 chmod 1777 "$homedir/$TMPDIR_ADD"
-$prefix env TMPDIR="$homedir/$TMPDIR_ADD" {{ CMD }} --mode={{ MODE }} --variant=apt \
+runuser -u user -- env TMPDIR="$homedir/$TMPDIR_ADD" {{ CMD }} --mode=unshare --variant=apt \
 	--setup-hook='case "$1" in '"$(quote "$homedir/$TMPDIR_ADD/mmdebstrap.")"'??????????) exit 0;; *) echo "$1"; exit 1;; esac' \
 	 {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
 # use rmdir as a quick check that nothing is remaining in TMPDIR
-$prefix rmdir "$homedir/$TMPDIR_ADD"
+runuser -u user -- rmdir "$homedir/$TMPDIR_ADD"
 rm /tmp/debian-chroot.tar
--- a/tests/cwd-directory-not-accessible-by-unshared-user
+++ b/tests/cwd-directory-not-accessible-by-unshared-user
@ -1,30 +1,21 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ ! -e /mmdebstrap-testenv ]; then
 [ "$(id -u)" -eq 0 ]
 [ {{ MODE }} = "unshare" ]
 if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
       if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
       fi
       useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 fi
-prefix="runuser -u ${SUDO_USER:-user} --"
+useradd --home-dir /home/user --create-home user
 mkdir /tmp/debian-chroot
 chmod 700 /tmp/debian-chroot
-chown "${SUDO_USER:-user}:${SUDO_USER:-user}" /tmp/debian-chroot
+chown user:user /tmp/debian-chroot
 set -- env --chdir=/tmp/debian-chroot
 if [ "{{ CMD }}" = "./mmdebstrap" ]; then
-	set -- "$@" "$(realpath --canonicalize-existing ./mmdebstrap)"
+	set -- "$(realpath --canonicalize-existing ./mmdebstrap)"
 elif [ "{{ CMD }}" = "perl -MDevel::Cover=-silent,-nogcov ./mmdebstrap" ]; then
-	set -- "$@" perl -MDevel::Cover=-silent,-nogcov "$(realpath --canonicalize-existing ./mmdebstrap)"
+	set -- perl -MDevel::Cover=-silent,-nogcov "$(realpath --canonicalize-existing ./mmdebstrap)"
 else
-	set -- "$@" {{ CMD }}
+	set -- {{ CMD }}
 fi
-$prefix "$@" --mode={{ MODE }} --variant=apt {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
+env --chdir=/tmp/debian-chroot runuser -u user -- "$@" --mode=unshare --variant=apt {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
 rm /tmp/debian-chroot.tar
--- a/tests/debootstrap
+++ b/tests/debootstrap
@ -1,17 +0,0 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
 tmpdir="$(mktemp -d)"
 chmod 755 "$tmpdir"
 case "{{ DIST }}" in
 	oldstable|stable)
 		debootstrap --no-merged-usr --variant={{ VARIANT }} {{ DIST }} "$tmpdir" {{ MIRROR }}
 		;;
 	*)
 		debootstrap --merged-usr --variant={{ VARIANT }} {{ DIST }} "$tmpdir" {{ MIRROR }}
 		;;
 esac
 tar --sort=name --mtime=@$SOURCE_DATE_EPOCH --clamp-mtime --numeric-owner --one-file-system --xattrs -C "$tmpdir" -c . > "./cache/debian-{{ DIST }}-{{ VARIANT }}.tar"
 rm -r "$tmpdir"
--- a/tests/dev-ptmx
+++ b/tests/dev-ptmx
@ -7,17 +7,15 @@ if [ {{ MODE }} != unshare ] && [ {{ MODE }} != root ]; then
 	exit 1
 fi
-prefix=
+if [ ! -e /mmdebstrap-testenv ]; then
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
 if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 	useradd --home-dir /home/user --create-home user
 fi
 prefix=
 [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && prefix="runuser -u user --"
 # this mimics what apt does in apt-pkg/deb/dpkgpm.cc/pkgDPkgPM::StartPtyMagic()
 cat > /tmp/test.c << 'END'
@ -125,13 +123,12 @@ script -qfec "$prefix {{ CMD }} --mode={{ MODE }} --variant=apt \
 	--customize-hook='chroot \"\$1\" runuser -u user -- python3 -c \"import pty; print(pty.openpty())\"' \
 	--customize-hook='chroot \"\$1\" script -c \"echo foobar\"' \
 	--customize-hook='chroot \"\$1\" runuser -u user -- env --chdir=/home/user script -c \"echo foobar\"' \
-	--customize-hook='chroot \"\$1\" apt-get install --yes doc-debian 2>&1 | tee \"\$1\"/tmp/log' \
+	--customize-hook='chroot \"\$1\" apt-get install --yes doc-debian 2>&1 | tee /tmp/log' \
 	--customize-hook=\"copy-in /tmp/test.c /tmp\" \
 	--customize-hook='chroot \"\$1\" gcc /tmp/test.c -o /tmp/test' \
 	--customize-hook='chroot \"\$1\" /tmp/test' \
 	--customize-hook='chroot \"\$1\" runuser -u user -- /tmp/test' \
 	--customize-hook='rm \"\$1\"/tmp/test \"\$1\"/tmp/test.c' \
 	--customize-hook=\"copy-out /tmp/log /tmp\" \
 	{{ DIST }} /dev/null {{ MIRROR }}" /dev/null
 fail=0
--- a/tests/dist-using-codename
+++ b/tests/dist-using-codename
@ -4,10 +4,8 @@
 set -eu
 export LC_ALL=C.UTF-8
-trap "rm -f InRelease; rm -rf /tmp/debian-chroot.tar /tmp/expected" EXIT INT TERM
+trap "rm -f Release; rm -rf /tmp/debian-chroot" EXIT INT TERM
-/usr/lib/apt/apt-helper download-file "{{ MIRROR }}/dists/{{ DIST }}/InRelease" InRelease
+/usr/lib/apt/apt-helper download-file "{{ MIRROR }}/dists/{{ DIST }}/Release" Release
-codename=$(awk '/^Codename: / { print $2; }' InRelease)
+codename=$(awk '/^Codename: / { print $2; }' Release)
-{{ CMD }} --mode={{ MODE }} --variant=apt "$codename" /tmp/debian-chroot.tar {{ MIRROR }}
+{{ CMD }} --mode={{ MODE }} --variant=apt "$codename" /tmp/debian-chroot {{ MIRROR }}
-echo "deb {{ MIRROR }} $codename main" > /tmp/expected
+echo "deb {{ MIRROR }} $codename main" | diff -u - /tmp/debian-chroot/etc/apt/sources.list
 tar --to-stdout --extract --file /tmp/debian-chroot.tar ./etc/apt/sources.list \
 	| diff -u /tmp/expected -
--- a/tests/essential-hook
+++ b/tests/essential-hook
@ -8,7 +8,7 @@ echo tzdata tzdata/Zones/Europe select Berlin | chroot "$1" debconf-set-selectio
 SCRIPT
 chmod +x /tmp/essential.sh
 {{ CMD }} --mode=root --variant=apt --include=tzdata --essential-hook='echo tzdata tzdata/Areas select Europe | chroot "$1" debconf-set-selections' --essential-hook=/tmp/essential.sh {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
-[ "$(readlink /tmp/debian-chroot/etc/localtime)" = "/usr/share/zoneinfo/Europe/Berlin" ]
+echo Europe/Berlin | cmp /tmp/debian-chroot/etc/timezone
 tar -C /tmp/debian-chroot --one-file-system -c . | tar -t | sort \
 	| grep -v '^./etc/localtime' \
 	| grep -v '^./etc/timezone' \
--- a/tests/fail-installing-to-existing-file
+++ b/tests/fail-installing-to-existing-file
@ -1,9 +1,6 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -f /tmp/exists" EXIT INT TERM
 touch /tmp/exists
 ret=0
 {{ CMD }} --mode={{ MODE }} --variant=apt {{ DIST }} /tmp/exists {{ MIRROR }} || ret=$?
--- a/tests/fail-with-path-with-quotes
+++ b/tests/fail-with-path-with-quotes
@ -1,9 +1,6 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 trap 'rm -rf /tmp/quoted\"path' EXIT INT TERM
 ret=0
 {{ CMD }} --mode={{ MODE }} --variant=apt {{ DIST }} /tmp/quoted\"path {{ MIRROR }} || ret=$?
 if [ "$ret" = 0 ]; then
--- a/tests/include-deb-file
+++ b/tests/include-deb-file
@ -3,8 +3,6 @@
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -rf /tmp/dummypkg.deb /tmp/dummypkg" EXIT INT TERM
 # instead of obtaining a .deb from our cache, we create a new package because
 # otherwise apt might decide to download the package with the same name and
 # version from the cache instead of using the local .deb
--- a/tests/install-busybox-based-sub-essential-system
+++ b/tests/install-busybox-based-sub-essential-system
@ -1,9 +1,6 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -rf /tmp/debian-chroot" EXIT INT TERM
 pkgs=base-files,base-passwd,busybox,debianutils,dpkg,libc-bin,mawk,tar
 # busybox --install -s will install symbolic links into the rootfs, leaving
 # existing files untouched. It has to run after extraction (otherwise there is
@ -34,3 +31,4 @@ chroot /tmp/debian-chroot echo foobar \
 	| chroot /tmp/debian-chroot tee /dev/null \
 	| chroot /tmp/debian-chroot sed 's/foobar/blubber/' \
 	| chroot /tmp/debian-chroot grep blubber >/dev/null
 rm -r /tmp/debian-chroot
--- a/tests/install-doc-debian
+++ b/tests/install-doc-debian
@ -1,25 +1,16 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 [ {{ VARIANT }} = "custom" ]
 [ {{ MODE }} = "chrootless" ]
 trap "rm -rf /tmp/debian-chroot" EXIT INT TERM
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
-$prefix {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --include=doc-debian {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
+[ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 $prefix {{ CMD }} --mode=chrootless --variant=custom --include=doc-debian {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 tar -C /tmp/debian-chroot --owner=0 --group=0 --numeric-owner --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/debian-chroot.tar .
 tar tvf /tmp/debian-chroot.tar > doc-debian.tar.list
 rm /tmp/debian-chroot.tar
--- a/tests/install-doc-debian-and-output-tarball
+++ b/tests/install-doc-debian-and-output-tarball
@ -2,22 +2,15 @@
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 [ {{ VARIANT }} = "custom" ]
 [ {{ MODE }} = "chrootless" ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
-$prefix {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --include=doc-debian {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
+[ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 $prefix {{ CMD }} --mode=chrootless --variant=custom --include=doc-debian {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 tar tvf /tmp/debian-chroot.tar | grep -v ' ./dev' | diff -u doc-debian.tar.list -
 rm /tmp/debian-chroot.tar
--- a/tests/install-doc-debian-and-test-hooks
+++ b/tests/install-doc-debian-and-test-hooks
@ -2,25 +2,16 @@
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 [ {{ VARIANT }} = "custom" ]
 [ {{ MODE }} = "chrootless" ]
 trap "rm -rf /tmp/debian-chroot" EXIT INT TERM
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
-$prefix {{ CMD }} --mode={{ MODE }} --skip=cleanup/tmp --variant={{ VARIANT }} --include=doc-debian --setup-hook='touch "$1/tmp/setup"' --customize-hook='touch "$1/tmp/customize"' {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
+[ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 $prefix {{ CMD }} --mode=chrootless --skip=cleanup/tmp --variant=custom --include=doc-debian --setup-hook='touch "$1/tmp/setup"' --customize-hook='touch "$1/tmp/customize"' {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 rm /tmp/debian-chroot/tmp/setup
 rm /tmp/debian-chroot/tmp/customize
 tar -C /tmp/debian-chroot --owner=0 --group=0 --numeric-owner --sort=name --clamp-mtime --mtime="$(date --utc --date=@{{ SOURCE_DATE_EPOCH }} --iso-8601=seconds)" -cf /tmp/debian-chroot.tar .
--- a/tests/install-libmagic-mgc-on-arm64
+++ b/tests/install-libmagic-mgc-on-arm64
@ -1,23 +1,16 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 [ {{ VARIANT }} = "custom" ]
 [ {{ MODE }} = "chrootless" ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
-$prefix {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --architectures=arm64 --include=libmagic-mgc {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
+[ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 $prefix {{ CMD }} --mode=chrootless --variant=custom --architectures=arm64 --include=libmagic-mgc {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 # delete contents of libmagic-mgc
 rm /tmp/debian-chroot/usr/lib/file/magic.mgc
 rm /tmp/debian-chroot/usr/share/doc/libmagic-mgc/README.Debian
--- a/tests/jessie-or-older
+++ b/tests/jessie-or-older
@ -1,30 +1,15 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
+if [ ! -e /mmdebstrap-testenv ]; then
 trap "rm -f /tmp/debian-chroot-{{ MODE }}.tar /tmp/debian-chroot-root-normal.tar" EXIT INT TERM
 [ "$(id -u)" -eq 0 ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+useradd --home-dir /home/user --create-home user
-MMTARFILTER=
+export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
 [ -x /usr/bin/mmtarfilter ] && MMTARFILTER=/usr/bin/mmtarfilter
 [ -x ./tarfilter ] && MMTARFILTER=./tarfilter
 filter() {
-	"$MMTARFILTER" \
+	./tarfilter \
 		--path-exclude=/usr/bin/uncompress \
 		--path-exclude=/var/cache/debconf/config.dat-old \
 		--path-exclude=/var/cache/debconf/templates.dat-old \
@ -35,7 +20,19 @@ filter() {
 }
 # base for comparison without jessie-or-older hook
-{{ CMD }} --mode=root --variant={{ VARIANT }} {{ DIST }} - {{ MIRROR }} > /tmp/debian-chroot-root-normal.tar
+{{ CMD }} --mode=root --variant={{ VARIANT }} {{ DIST }} - {{ MIRROR }} | filter > /tmp/debian-chroot-root-normal.tar
-$prefix {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --hook-dir=./hooks/jessie-or-older {{ DIST }} - {{ MIRROR }} | filter > /tmp/debian-chroot-{{ MODE }}.tar
+# root
-filter < /tmp/debian-chroot-root-normal.tar | cmp - /tmp/debian-chroot-{{ MODE }}.tar
+{{ CMD }} --mode=root --variant={{ VARIANT }} --hook-dir=./hooks/jessie-or-older {{ DIST }} - {{ MIRROR }} | filter > /tmp/debian-chroot-root.tar
 cmp /tmp/debian-chroot-root-normal.tar /tmp/debian-chroot-root.tar
 rm /tmp/debian-chroot-root.tar
 # unshare
 runuser -u user -- {{ CMD }} --mode=unshare --variant={{ VARIANT }} --hook-dir=./hooks/jessie-or-older {{ DIST }} - {{ MIRROR }} | filter > /tmp/debian-chroot-unshare.tar
 cmp /tmp/debian-chroot-root-normal.tar /tmp/debian-chroot-unshare.tar
 rm /tmp/debian-chroot-unshare.tar
 # fakechroot
 runuser -u user -- {{ CMD }} --mode=fakechroot --variant={{ VARIANT }} --hook-dir=./hooks/jessie-or-older {{ DIST }} - {{ MIRROR }} | filter > /tmp/debian-chroot-fakechroot.tar
 cmp /tmp/debian-chroot-root-normal.tar /tmp/debian-chroot-fakechroot.tar
 rm /tmp/debian-chroot-fakechroot.tar
 rm /tmp/debian-chroot-root-normal.tar
--- a/tests/logfile
+++ b/tests/logfile
@ -1,9 +1,6 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -rf /tmp/debian-chroot /tmp/log /tmp/trimmed" EXIT INT TERM
 # we check the full log to also prevent debug printfs to accidentally make it into a commit
 {{ CMD }} --mode=root --variant=apt --logfile=/tmp/log {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 # omit the last line which should contain the runtime
@ -20,3 +17,5 @@ I: cleaning package lists and apt cache...
 LOG
 tail --lines=1 /tmp/log | grep '^I: success in .* seconds$'
 tar -C /tmp/debian-chroot --one-file-system -c . | tar -t | sort | diff -u tar1.txt -
 rm -r /tmp/debian-chroot
 rm /tmp/log /tmp/trimmed
--- a/tests/merged-fakechroot-inside-unmerged-chroot
+++ b/tests/merged-fakechroot-inside-unmerged-chroot
@ -46,4 +46,4 @@ chmod +x script.sh
 	--customize-hook=./script.sh \
 	--customize-hook="copy-out /tmp/chroot-fakechroot.tar /tmp" \
 	{{ DIST }} /dev/null {{ MIRROR }}
-cmp /tmp/chroot-fakechroot.tar /tmp/chroot-root.tar || diffoscope /tmp/chroot-fakechroot.tar /tmp/chroot-root.tar
+cmp /tmp/chroot-fakechroot.tar /tmp/chroot-root.tar
--- a/tests/missing-dev-sys-proc-inside-the-chroot
+++ b/tests/missing-dev-sys-proc-inside-the-chroot
@ -1,20 +1,9 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ ! -e /mmdebstrap-testenv ]; then
 [ {{ MODE }} = "unshare" ]
 [ {{ VARIANT }} = "custom" ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+useradd --home-dir /home/user --create-home user
-$prefix {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --include=dpkg,dash,diffutils,coreutils,libc-bin,sed {{ DIST }} /dev/null {{ MIRROR }}
+runuser -u user -- {{ CMD }} --mode=unshare --variant=custom --include=dpkg,dash,diffutils,coreutils,libc-bin,sed {{ DIST }} /dev/null {{ MIRROR }}
--- a/tests/mmdebstrap
+++ b/tests/mmdebstrap
@ -1,20 +0,0 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
 [ "$(id -u)" -eq 0 ]
 [ {{ MODE }} = "root" ]
 case {{ FORMAT }} in tar|squashfs|ext2) : ;; *) exit 1;; esac
 {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} {{ DIST }} ./cache/mmdebstrap-{{ DIST }}-{{ VARIANT }}.{{ FORMAT }} {{ MIRROR }}
 if [ "{{ FORMAT }}" = tar ]; then
 	printf 'ustar ' | cmp --bytes=6 --ignore-initial=257:0 ./cache/mmdebstrap-{{ DIST }}-{{ VARIANT }}.tar -
 elif [ "{{ FORMAT }}" = squashfs ]; then
 	printf 'hsqs' | cmp --bytes=4 ./cache/mmdebstrap-{{ DIST }}-{{ VARIANT }}.squashfs -
 elif [ "{{ FORMAT }}" = ext2 ]; then
 	printf '\123\357' | cmp --bytes=2 --ignore-initial=1080:0 ./cache/mmdebstrap-{{ DIST }}-{{ VARIANT }}.ext2 -
 else
 	echo "unknown format: {{ FORMAT }}" >&2
 	exit 1
 fi
--- a/tests/no-sbin-in-path
+++ b/tests/no-sbin-in-path
@ -7,22 +7,16 @@
 set -eu
 export LC_ALL=C.UTF-8
 trap "rm -f /tmp/debian-chroot.tar" EXIT INT TERM
 [ "{{ MODE }}" = "fakechroot" ]
-
+trap "rm -f /tmp/debian-chroot.tar" EXIT INT TERM
-prefix=
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
-$prefix env PATH=/usr/bin:/bin fakechroot fakeroot {{ CMD }} --mode={{ MODE }} --variant=apt {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
+[ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 $prefix env PATH=/usr/bin:/bin fakechroot fakeroot {{ CMD }} --mode=fakechroot --variant=apt {{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
--- a/tests/pivot_root
+++ b/tests/pivot_root
@ -4,18 +4,22 @@ export LC_ALL=C.UTF-8
 export SOURCE_DATE_EPOCH={{ SOURCE_DATE_EPOCH }}
 trap "rm -f /tmp/chroot1.tar /tmp/chroot2.tar /tmp/chroot3.tar /tmp/mmdebstrap" EXIT INT TERM
-prefix=
+if [ ! -e /mmdebstrap-testenv ]; then
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" 2>/dev/null; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
 if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 	useradd --home-dir /home/user --create-home user
 fi
 prefix=
 [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && prefix="runuser -u user --"
 MMDEBSTRAP=
 [ -e /usr/bin/mmdebstrap ] && MMDEBSTRAP=/usr/bin/mmdebstrap
 [ -e ./mmdebstrap ] && MMDEBSTRAP=./mmdebstrap
 $prefix {{ CMD }} --mode={{ MODE }} --variant=apt \
 	--include=mount \
 	{{ DIST }} /tmp/chroot1.tar {{ MIRROR }}
@ -24,31 +28,28 @@ if [ {{ MODE }} = "unshare" ]; then
 	# calling pivot_root in root mode does not work for mysterious reasons:
 	# pivot_root: failed to change root from `.' to `mnt': Invalid argument
 	$prefix {{ CMD }} --mode={{ MODE }} --variant=apt --include=mount \
-		--customize-hook='mkdir -p "$1/mnt" "$1/oldroot"' \
+		--customize-hook="upload $MMDEBSTRAP /$MMDEBSTRAP" \
-		--customize-hook='[ ! -e /usr/bin/mmdebstrap ] || cp -aT /usr/bin/mmdebstrap "$1/usr/bin/mmdebstrap"' \
+		--customize-hook='chmod +x "$1"/'"$MMDEBSTRAP" \
-		--customize-hook='[ ! -e ./mmdebstrap ] || cp -aT ./mmdebstrap "$1/mnt/mmdebstrap"' \
+		--customize-hook='mount -o rbind "$1" /mnt && cd /mnt && /sbin/pivot_root . mnt' \
 		--customize-hook='mount -o rbind "$1" /mnt && cd /mnt && /sbin/pivot_root . oldroot' \
 		--customize-hook='unshare -U echo nested unprivileged unshare' \
-		--customize-hook='env --chdir=/mnt {{ CMD }} --mode=unshare --variant=apt --include=mount {{ DIST }} /tmp/chroot3.tar {{ MIRROR }}' \
+		--customize-hook="/$MMDEBSTRAP"' --mode=unshare --variant=apt --include=mount {{ DIST }} /tmp/chroot3.tar {{ MIRROR }}' \
 		--customize-hook='copy-out /tmp/chroot3.tar /tmp' \
-		--customize-hook='rm -f "/usr/bin/mmdebstrap" "/mnt/mmdebstrap"' \
+		--customize-hook='rm "$1/'"$MMDEBSTRAP"'"' \
-		--customize-hook='umount -l oldroot sys' \
+		--customize-hook='umount -l mnt sys' \
 		--customize-hook='rmdir /oldroot' \
 		{{ DIST }} /tmp/chroot2.tar {{ MIRROR }}
-		cmp /tmp/chroot1.tar /tmp/chroot2.tar || diffoscope /tmp/chroot1.tar /tmp/chroot2.tar
+		cmp /tmp/chroot1.tar /tmp/chroot2.tar
-		cmp /tmp/chroot1.tar /tmp/chroot3.tar || diffoscope /tmp/chroot1.tar /tmp/chroot3.tar
+		cmp /tmp/chroot1.tar /tmp/chroot3.tar
 		rm /tmp/chroot2.tar /tmp/chroot3.tar
 fi
 $prefix {{ CMD }} --mode={{ MODE }} --variant=apt --include=mount \
-	--customize-hook='mkdir -p "$1/mnt"' \
+	--customize-hook="upload $MMDEBSTRAP /$MMDEBSTRAP" \
-	--customize-hook='[ ! -e /usr/bin/mmdebstrap ] || cp -aT /usr/bin/mmdebstrap "$1/usr/bin/mmdebstrap"' \
+	--customize-hook='chmod +x "$1"/'"$MMDEBSTRAP" \
-	--customize-hook='[ ! -e ./mmdebstrap ] || cp -aT ./mmdebstrap "$1/mnt/mmdebstrap"' \
+	--chrooted-customize-hook="/$MMDEBSTRAP"' --mode=unshare --variant=apt --include=mount {{ DIST }} /tmp/chroot3.tar {{ MIRROR }}' \
 	--chrooted-customize-hook='env --chdir=/mnt {{ CMD }} --mode=unshare --variant=apt --include=mount {{ DIST }} /tmp/chroot3.tar {{ MIRROR }}' \
 	--customize-hook='copy-out /tmp/chroot3.tar /tmp' \
-	--customize-hook='rm -f "$1/usr/bin/mmdebstrap" "$1/mnt/mmdebstrap"' \
+	--customize-hook='rm "$1/'"$MMDEBSTRAP"'"' \
 	{{ DIST }} /tmp/chroot2.tar {{ MIRROR }}
-cmp /tmp/chroot1.tar /tmp/chroot2.tar || diffoscope /tmp/chroot1.tar /tmp/chroot2.tar
+cmp /tmp/chroot1.tar /tmp/chroot2.tar
-cmp /tmp/chroot1.tar /tmp/chroot3.tar || diffoscope /tmp/chroot1.tar /tmp/chroot3.tar
+cmp /tmp/chroot1.tar /tmp/chroot3.tar
--- a/tests/root-mode-inside-chroot
+++ b/tests/root-mode-inside-chroot
@ -6,12 +6,9 @@
 set -eu
 export LC_ALL=C.UTF-8
 [ "$(whoami)" = "root" ]
 trap "rm -f /tmp/debian-chroot.tar script.sh" EXIT INT TERM
 cat << 'SCRIPT' > script.sh
 #!/bin/sh
-set -exu
+set -eu
 rootfs="$1"
 mkdir -p "$rootfs/mnt"
 [ -e /usr/bin/mmdebstrap ] && cp -aT /usr/bin/mmdebstrap "$rootfs/usr/bin/mmdebstrap"
@ -26,3 +23,4 @@ chmod +x script.sh
 	--customize-hook="download /tmp/debian-chroot.tar /tmp/debian-chroot.tar" \
 	{{ DIST }} /dev/null {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
 rm /tmp/debian-chroot.tar script.sh
--- a/tests/root-mode-inside-unshare-chroot
+++ b/tests/root-mode-inside-unshare-chroot
@ -5,22 +5,13 @@
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ ! -e /mmdebstrap-testenv ]; then
 [ {{ MODE }} = "unshare" ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 		if [ ! -e /mmdebstrap-testenv ]; then
 	echo "this test modifies the system and should only be run inside a container" >&2
 	exit 1
 		fi
 		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+[ "$(whoami)" = "root" ]
-cat << 'SCRIPT' > /tmp/script.sh
+useradd --home-dir /home/user --create-home user
 cat << 'SCRIPT' > script.sh
 #!/bin/sh
 set -eu
 rootfs="$1"
@ -31,10 +22,10 @@ chroot "$rootfs" env --chdir=/mnt \
 	{{ CMD }} --mode=root --variant=apt \
 	{{ DIST }} /tmp/debian-chroot.tar {{ MIRROR }}
 SCRIPT
-chmod +x /tmp/script.sh
+chmod +x script.sh
-$prefix {{ CMD }} --mode={{ MODE }} --variant=apt --include=perl,mount \
+runuser -u user -- {{ CMD }} --mode=unshare --variant=apt --include=perl,mount \
-	--customize-hook=/tmp/script.sh \
+	--customize-hook=./script.sh \
 	--customize-hook="download /tmp/debian-chroot.tar /tmp/debian-chroot.tar" \
 	{{ DIST }} /dev/null {{ MIRROR }}
 tar -tf /tmp/debian-chroot.tar | sort | diff -u tar1.txt -
-rm /tmp/debian-chroot.tar /tmp/script.sh
+rm /tmp/debian-chroot.tar script.sh
--- a/tests/special-hooks-with-mode-mode
+++ b/tests/special-hooks-with-mode-mode
@ -1,19 +1,15 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
 [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && prefix="runuser -u user --"
 [ "{{ MODE }}" = "fakechroot" ] && prefix="$prefix fakechroot fakeroot"
 symlinktarget=/real
 [ "{{ MODE }}" = "fakechroot" ] && symlinktarget='$1/real'
--- a/tests/unpack-doc-debian
+++ b/tests/unpack-doc-debian
@ -1,25 +1,17 @@
 #!/bin/sh
 set -eu
 export LC_ALL=C.UTF-8
-
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 trap "rm -rf /tmp/debian-chroot" EXIT INT TERM
 [ {{ VARIANT }} = extract ]
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
-
+prefix=
 [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && prefix="runuser -u user --"
 [ "{{ MODE }}" = "fakechroot" ] && prefix="$prefix fakechroot fakeroot"
-$prefix {{ CMD }} --mode={{ MODE }} --variant={{ VARIANT }} --include=doc-debian {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
+$prefix {{ CMD }} --mode={{ MODE }} --variant=extract --include=doc-debian {{ DIST }} /tmp/debian-chroot {{ MIRROR }}
 # delete contents of doc-debian
 rm /tmp/debian-chroot/usr/share/doc-base/debian-*
 rm -r /tmp/debian-chroot/usr/share/doc/debian
--- a/tests/unshare-include-deb
+++ b/tests/unshare-include-deb
@ -5,19 +5,14 @@ export LC_ALL=C.UTF-8
 [ "{{ MODE }}" = unshare ]
-trap "rm -rf /tmp/dummypkg.deb /tmp/dummypkg" EXIT INT TERM
+if [ "$(id -u)" -eq 0 ] && ! id -u user > /dev/null 2>&1; then
 prefix=
 if [ "$(id -u)" -eq 0 ] && [ "{{ MODE }}" != "root" ] && [ "{{ MODE }}" != "auto" ]; then
 	if ! id "${SUDO_USER:-user}" >/dev/null 2>&1; then
 	if [ ! -e /mmdebstrap-testenv ]; then
 		echo "this test modifies the system and should only be run inside a container" >&2
 		exit 1
 	fi
-		useradd --home-dir "/home/${SUDO_USER:-user}" --create-home "${SUDO_USER:-user}"
+	useradd --home-dir /home/user --create-home user
 	fi
 	prefix="runuser -u ${SUDO_USER:-user} --"
 fi
 [ "$(id -u)" -eq 0 ] && prefix="runuser -u user --"
 # instead of obtaining a .deb from our cache, we create a new package because
 # otherwise apt might decide to download the package with the same name and
@ -36,8 +31,9 @@ Description: dummypkg
 END
 dpkg-deb --build "/tmp/dummypkg" "/tmp/dummypkg.deb"
-# make the .deb only redable by its owner which will exclude the unshared user
+# make the .deb only redable by user which will exclude the unshared user
 chmod 600 /tmp/dummypkg.deb
 chown user /tmp/dummypkg.deb
 ret=0
 $prefix {{ CMD }} --variant=apt --mode={{ MODE }} --include="/tmp/dummypkg.deb" \