Quoting "Greg A. Woods" <woods@weird.com>:

> This process is onerous enough that I only build patches for stuff that
> might actually pose a real risk to my clients.
> 
> I'm hoping that with future releases I might be able to leaverage a bit
> off the new meta-log mechanisms in "install"....

The following works for me, as long as you don't mind including all the files 
``make install'' installs.  Run it from the dir which is mentioned in the 
advisory:

DESTDIR is some temporary dir
TOPDIR is where build.sh is
NBMAKE is the make wrapper script[1] from the tools dir
NBPAX is nbpax from the tools dir
DISTFILE is the created .tar.gz package

mkdir $DESTDIR
(cd $TOPDIR && $NBMAKE do-distrib-dirs DESTDIR=$DESTDIR)
>$DESTDIR/METALOG

$NBMAKE cleandir dependall
$NBMAKE install DESTDIR=$DESTDIR

# remove what we don't need in package
(cd $DESTDIR && find . -type d -depth -print0 | xargs -0 rmdir 2>/dev/null)
rm $DESTDIR/sys

cd $DESTDIR
( echo "/set uname=root gname=wheel"
  find . -type d -exec echo \{} type=dir optional \;
  sed "s#${DESTDIR}##" $DESTDIR/METALOG
) | $NBPAX -v -wz -M -N $TOPDIR/etc -f $DISTFILE

Maybe we could have a top-level target which does the right thing for:
make binary-patch-kit DESTDIR=somedir DISTFILE=somefile \
    SUBDIRS="some/sub/dir other/sub/dir"

-- 
Christian Limpach <chris@pin.lu>

[1] setup to do unprived builds, might not work otherwise.