Hi,
I've abandoned my chroot aproach to improving security in patchwatcher. Instead I've implemented the ability to run untrusted code as a user different than the one running patchwatcher. This is because creating a chroot where Wine could be compiled and tested proved to be too difficult and platform-dependent.
I've also added external time limits for running untrusted code. This as a whole should help prevent individual patches from stalling the patch watching process.
It very easy to set up. All you need is a low-privileged user (but enough to run the tests, e.g. audio, video groups) and an empty folder where you can write but this user can only read (not your home folder, it shouldn't have access there anyway).
To use it, start with a clean patchwatcher and adjust the variables in the patchwatcher.sh, then run "patchwatcher.sh intialize". It will instruct you to run some commands as root (setuid the wrapper). Run initialize again and it should build wine and run baseline tests. Then you can test it by putting a patch in patches/ and issuing the try_one_patch command. To start watching use the continuous_build command.
Patch is attached.