diff --git a/debian/obs-apache2.conf b/debian/obs-apache2.conf
index 8f8f4df05393ce0fa783ae8c6d05b51fc3b364e1..3b8c8f8aec4f03355582fb60575f63f807d759ac 100644
--- a/debian/obs-apache2.conf
+++ b/debian/obs-apache2.conf
@@ -5,6 +5,7 @@ Listen 82
 # Passenger defaults
 PassengerSpawnMethod "smart"
 PassengerMaxPoolSize 20
+PassengerDefaultUser obsapi
 #RailsEnv "development"
 
 # allow long request urls and being part of headers
diff --git a/debian/obs-api.postinst b/debian/obs-api.postinst
index a0e9fcf6d0a6d236c561c91660f4f3d24f542733..eb75dc3dbcdee40549cd21bcdd7f510038db4b32 100644
--- a/debian/obs-api.postinst
+++ b/debian/obs-api.postinst
@@ -1,5 +1,16 @@
 #!/bin/sh -e
 
+# Add obsapi user and group to run the passenger RubyApp
+if ! getent group obsapi > /dev/null; then
+            addgroup --system --quiet obsapi
+fi
+if ! getent passwd obsapi > /dev/null; then
+    adduser --system --quiet \
+        --ingroup obsapi --shell /bin/false \
+        --no-create-home --home /nonexistent obsapi
+    usermod -c "User for build service api/webui" obsapi
+fi
+
 # Place api and repo url on index page
 if [ ! -f /usr/share/obs/overview/index.html ] ; then
   FQHOSTNAME=`hostname -f`
@@ -13,13 +24,19 @@ fi
 if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
   rm -f /usr/share/obs/api/config/secret.key
 fi
+
 SECRET_KEY="/etc/obs/api/config/secret.key"
 if [ ! -e "$SECRET_KEY" ]; then
-    ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
+  touch $SECRET_KEY
+  chmod 0640 $SECRET_KEY
+  chown obsapi:www-data $SECRET_KEY
+    ( dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
     ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
-fi
+else
+  # cope with upgrades here to ensure that obsapi user own the key.
   chmod 0640 $SECRET_KEY
-  chown nobody:www-data $SECRET_KEY
+  chown obsapi:www-data $SECRET_KEY
+fi
 
 # Generate log files
   touch /var/log/obs/access.log
diff --git a/debian/obs-api.postrm b/debian/obs-api.postrm
index f1384e7950908c373decbc141ac819b955ba4839..3649dfacd3235706a6db5da86fc1c344a90eb255 100644
--- a/debian/obs-api.postrm
+++ b/debian/obs-api.postrm
@@ -67,6 +67,9 @@ if [ "$1" = "purge" ]; then
     # Disable the obs site if not already disabled
         a2dissite obs.conf	> /dev/null || true
     fi
+    # Delete obsapi user and group
+    deluser --system --quiet obsapi || true
+    delgroup --system --quiet obsapi || true
     # Restart Apache to really unload obs.conf
     reload_apache restart
 fi
diff --git a/debian/patches/dist-Use-2.7-packages-for-testing.patch b/debian/patches/dist-Use-2.7-packages-for-testing.patch
new file mode 100644
index 0000000000000000000000000000000000000000..dec03d12aa15b8492f2ba3d5ba56080ee31c0e33
--- /dev/null
+++ b/debian/patches/dist-Use-2.7-packages-for-testing.patch
@@ -0,0 +1,26 @@
+From be9fc5f2f7c564392948f127faff6486225ba8e6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
+Date: Mon, 26 Jun 2017 15:06:51 +0200
+Subject: [PATCH] [dist] Use 2.7 packages for testing 2.7 branch in travis
+
+---
+ dist/ci/obs_testsuite_travis_install.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/pull/3284/commits
+diff --git a/dist/ci/obs_testsuite_travis_install.sh b/dist/ci/obs_testsuite_travis_install.sh
+index 85238dbd1..f9ecadaeb 100755
+--- a/dist/ci/obs_testsuite_travis_install.sh
++++ b/dist/ci/obs_testsuite_travis_install.sh
+@@ -8,7 +8,7 @@ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C5C219E7
+ 
+ # Install updates from our own repository
+ sudo chmod a+w /etc/apt/sources.list.d
+-echo 'deb http://download.opensuse.org/repositories/OBS:/Server:/Unstable/xUbuntu_12.04 /' > /etc/apt/sources.list.d/opensuse.list
++echo 'deb http://download.opensuse.org/repositories/OBS:/Server:/2.7/xUbuntu_12.04 /' > /etc/apt/sources.list.d/opensuse.list
+ 
+ # We could use this to only update the package list from the OBS,
+ # but apprently this is not possible anymore. So we update all package lists.
+-- 
+2.11.0
+
diff --git a/debian/patches/fix-kiwitree-symlink.patch b/debian/patches/fix-kiwitree-symlink.patch
new file mode 100644
index 0000000000000000000000000000000000000000..fb1150217d20b267808ec4753f3695f31b8aae83
--- /dev/null
+++ b/debian/patches/fix-kiwitree-symlink.patch
@@ -0,0 +1,20 @@
+commit 3b73dab1a9e676e28334df10fac7c054418228a8
+Author: Michael Schroeder <mls@suse.de>
+Date:   Fri Mar 17 10:49:14 2017 +0100
+
+    [backend] fix kiwitree symlink check
+
+    Bad code copied from the build package. Sigh.
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/commit/3b73dab1a9e676e28334df10fac7c054418228a8
+--- a/src/backend/bs_repserver
++++ b/src/backend/bs_repserver
+@@ -1743,7 +1743,7 @@ sub receivekiwitree {
+     } elsif ($type eq 'l') {
+       $extra =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
+       die("bad symlink\n") if "/$extra/" =~ /\/\.?\//;
+-      if ("/$extra/" =~ /^(\/\.\.)+\/(.*?)$/s) {
++      if ("/$extra/" =~ /^((?:\/\.\.)+)\/(.*?)$/s) {
+         my ($head, $tail) = ($1, $2);
+ 	die("bad upref in symlink\n") if "/$tail/" =~ /\/\.\.\//;
+ 	die("bad upref in symlink\n") if ($head =~ y!/!!) > ($file =~ y!/!!);
diff --git a/debian/patches/handle-links-properly.patch b/debian/patches/handle-links-properly.patch
new file mode 100644
index 0000000000000000000000000000000000000000..01e7296f44966f555df6527b2fc8eb83b6a57e06
--- /dev/null
+++ b/debian/patches/handle-links-properly.patch
@@ -0,0 +1,47 @@
+commit d4bddd6df495cc436185961fb497dacedc046008
+Author: Adrian Schröter <adrian@suse.de>
+Date:   Thu Jun 22 12:12:01 2017 +0200
+
+    [webui] Handle links properly when doing backend build operations
+
+    OBS wasn't properly handling linked projects when triggering rebuilds,
+    wipe binaries and abort build. This resulted in packages of linked
+    projects being aborted, wiped, rebuilt.
+
+    This fixes the falsey code.
+
+    Pair-programmed with @eduardoj and @bgeuken
+
+Origin: upstream, https://github.com/openSUSE/open-build-service/pull/3284/commits
+--- a/src/api/app/models/package.rb
++++ b/src/api/app/models/package.rb
+@@ -1344,22 +1344,23 @@ class Package < ActiveRecord::Base
+     self
+   end
+ 
++  #### WARNING: these operations run in build object, not this package object
+   def rebuild(params)
+-    backend_build_command(:rebuild, params.slice(:package, :arch, :repository))
++    backend_build_command(:rebuild, params[:project], params.slice(:package, :arch, :repository))
+   end
+ 
+   def wipe_binaries(params)
+-    backend_build_command(:wipe, params.slice(:package, :arch, :repository))
++    backend_build_command(:wipe, params[:project], params.slice(:package, :arch, :repository))
+   end
+ 
+   def abort_build(params)
+-    backend_build_command(:abortbuild, params.slice(:package, :arch, :repository))
++    backend_build_command(:abortbuild, params[:project], params.slice(:package, :arch, :repository))
+   end
+ 
+-  def backend_build_command(command, params)
++  def backend_build_command(command, build_project, params)
+     begin
+-      Suse::Backend.post("/build/#{URI.escape(project.name)}?cmd=#{command}&#{params.to_query}", '')
+-    rescue ActiveXML::Transport::Error, Timeout::Error => e
++      Suse::Backend.post("/build/#{URI.escape(build_project)}?cmd=#{command}&#{params.to_query}", '')
++    rescue ActiveXML::Transport::Error, Timeout::Error, Project::WritePermissionError => e
+       errors.add(:base, e.message)
+       return false
+     end
diff --git a/debian/patches/series b/debian/patches/series
index 5f8f3362b611ca4f6a1a34530de7574e15031861..1edc93fc6f76a872e02852a3d33b6ecc0f89723f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,6 @@ Do-not-ship-database.yml.patch
 localgem.patch
 disable-slp.patch
 CVE-2017-5188.patch
+fix-kiwitree-symlink.patch
+handle-links-properly.patch
+dist-Use-2.7-packages-for-testing.patch
\ No newline at end of file
diff --git a/debian/rake-tasks.sh b/debian/rake-tasks.sh
index 858d5248212bde579852b4d1cc1d1911308982b5..154900a4ed38dcf51714821b67b8bcc5b18a66eb 100755
--- a/debian/rake-tasks.sh
+++ b/debian/rake-tasks.sh
@@ -26,10 +26,10 @@ case "$1" in
 	chown -R www-data:www-data /usr/share/obs/api/public
 	chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
 	chmod 664 /var/log/obs/*.log
-	chown nobody:www-data /etc/obs/api/config/database.yml
-	chmod 660 /etc/obs/api/config/database.yml
-	chown nobody:www-data /var/log/obs/backend_access.log
-	chown nobody:www-data /var/log/obs/production.log
+	chown obsapi:www-data /etc/obs/api/config/database.yml
+	chmod 440 /etc/obs/api/config/database.yml
+	chown obsapi:www-data /var/log/obs/backend_access.log
+	chown obsapi:www-data /var/log/obs/production.log
 
 	# Generate Gemfile.lock file.
 	cd /usr/share/obs/api
diff --git a/debian/rules b/debian/rules
index b57936861d442d2db1ceb3fb4b1540bca68c2dee..ac2426a52c27ac66431512c8ef8f45e56851c63c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -69,6 +69,9 @@ override_dh_install:
 	# Fix Mark scripts as executable until upstream fixes
 	chmod a+x debian/obs-server/usr/lib/obs/tests/appliance/*t*
 
+	# Remove useless Gemfile.lock
+	rm -f debian/obs-api/usr/share/obs/api/Gemfile.lock
+
 override_dh_systemd_enable:
 	dh_systemd_enable -p obs-server \
 		obsrepserver.service \