diff --git a/.papr.yml b/.papr.yml
index 0681ae8cfc..e082ddb6d3 100644
--- a/.papr.yml
+++ b/.papr.yml
@@ -18,13 +18,10 @@ cluster:
   container:
     image: registry.fedoraproject.org/fedora:26
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1483553
-#packages:
-#  - git
-#  - rsync
-
 env:
   HOSTS: vmcheck1 vmcheck2 vmcheck3
+  CFLAGS: '-fsanitize=undefined -fsanitize-undefined-trap-on-error -fsanitize=address -O2 -Wp,-D_FORTIFY_SOURCE=2'
+  ASAN_OPTIONS: 'detect_leaks=0'  # Right now we're not fully clean, but this gets us use-after-free etc
   CI_PKGS: rsync
 
 tests:
@@ -37,6 +34,7 @@ timeout: 60m
 
 artifacts:
   - test-suite.log
+  - config.log
   - vmcheck
 
 ---
@@ -59,6 +57,12 @@ cluster:
     # FIXME remove this version binding when rpm-md repos are updated
     image: registry.centos.org/centos/centos:7.3.1611
 
+# We only want the sanitizers on Fedora
+env:
+  HOSTS: vmcheck1 vmcheck2 vmcheck3
+  CFLAGS: ''
+  CI_PKGS: rsync
+
 extra-repos:
   - name: atomic-centos-continuous
     baseurl: https://ci.centos.org/artifacts/sig-atomic/rdgo/centos-continuous/build
diff --git a/ci/build-check.sh b/ci/build-check.sh
index 589b5d6e3a..4ba011ffdb 100755
--- a/ci/build-check.sh
+++ b/ci/build-check.sh
@@ -16,10 +16,13 @@ make install
 # might get passed to it.
 id=$(. /etc/os-release && echo $ID)
 if [ "$id" == fedora ]; then
-    git clean -dfx
+    # always fail on warnings; https://github.com/ostreedev/ostree/pull/971
+    # Except for clang-4.0: error: argument unused during compilation: '-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1' [-Werror,-Wunused-command-line-argument]
+    export CFLAGS="-Wno-error=unused-command-line-argument -Werror ${CFLAGS:-}"
+    git clean -dfx && git submodule foreach git clean -dfx
+    # And now a clang build to find unused variables because it does a better
+    # job than gcc for vars with cleanups; perhaps in the future these could
+    # parallelize
     export CC=clang
-    export CFLAGS='-Werror=unused-variable -Werror=maybe-uninitialized'
-    build_default
-    # don't actually run the tests, just compile them
-    /usr/bin/make check TESTS=
+    build
 fi
diff --git a/ci/build.sh b/ci/build.sh
index 741465b63f..8d25008183 100755
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -18,12 +18,9 @@ elif [ "$id" == centos ]; then
 fi
 
 pkg_upgrade
-
-install_builddeps rpm-ostree
-
-yum install -y /usr/bin/g-ir-scanner # Accidentally omitted
+pkg_install_builddeps rpm-ostree
 # Mostly dependencies for tests
-yum install -y ostree{,-devel,-grub2} createrepo_c /usr/bin/jq PyYAML clang \
+pkg_install ostree{,-devel,-grub2} createrepo_c /usr/bin/jq PyYAML clang \
     libubsan libasan libtsan elfutils fuse sudo python-gobject-base
 
 if [ -n "${CI_PKGS:-}" ]; then
@@ -33,5 +30,5 @@ fi
 # create an unprivileged user for testing
 adduser testuser
 
-rpm -q ostree{,-devel,-grub2}
+export LSAN_OPTIONS=verbosity=1:log_threads=1
 build --enable-installed-tests --enable-gtk-doc
diff --git a/ci/libbuild.sh b/ci/libbuild.sh
index ffdc6da331..2b600dc726 100644
--- a/ci/libbuild.sh
+++ b/ci/libbuild.sh
@@ -2,22 +2,19 @@
 
 pkg_upgrade() {
     # https://bugzilla.redhat.com/show_bug.cgi?id=1483553
-    if ! yum -y upgrade 2>err.txt; then
-        ecode=$?
-        if grep -q -F -e "BDB1539 Build signature doesn't match environment" err.txt; then
-            rpm --rebuilddb
-            yum -y upgrade
-        else
+    ecode=0
+    yum -y distro-sync 2>err.txt || ecode=$?
+    if test ${ecode} '!=' 0 && grep -q -F -e "BDB1539 Build signature doesn't match environment" err.txt; then
+        rpm --rebuilddb
+        yum -y distro-sync
+    else
+        if test ${ecode} '!=' 0; then
             cat err.txt
             exit ${ecode}
         fi
     fi
 }
 
-pkg_install() {
-  yum -y install "$@"
-}
-
 make() {
     /usr/bin/make -j $(getconf _NPROCESSORS_ONLN) "$@"
 }
@@ -25,28 +22,48 @@ make() {
 build() {
     env NOCONFIGURE=1 ./autogen.sh
     ./configure --prefix=/usr --libdir=/usr/lib64 "$@"
-    make
+    make V=1
 }
 
-build_default() {
-    export CFLAGS="${CFLAGS:-} -fsanitize=undefined"
-    build
+pkg_install() {
+    yum -y install "$@"
 }
 
-install_builddeps() {
-    pkg=$1
+pkg_install_if_os() {
+    os=$1
+    shift
+    (. /etc/os-release;
+         if test "${os}" = "${ID}"; then
+            pkg_install "$@"
+         else
+             echo "Skipping installation on OS ${ID}: $@"
+         fi
+    )
+}
 
-    if [ -x /usr/bin/dnf ]; then
-        dnf -y install dnf-plugins-core
-        dnf install -y @buildsys-build
-        dnf install -y 'dnf-command(builddep)'
-        dnf builddep -y $pkg
+pkg_builddep() {
+    # This is sadly the only case where it's a different command
+    if test -x /usr/bin/dnf; then
+        dnf builddep -y "$@"
     else
-        yum install -y make rpm-build
-        yum-builddep -y rpm-ostree
+        yum-builddep -y "$@"
     fi
+}
 
+pkg_install_builddeps() {
+    pkg=$1
+    if test -x /usr/bin/dnf; then
+        yum -y install dnf-plugins-core
+        yum install -y 'dnf-command(builddep)'
+        # Base buildroot
+        pkg_install @buildsys-build
+    else
+        yum -y install yum-utils
+        # Base buildroot, copied from the mock config sadly
+        yum -y install bash bzip2 coreutils cpio diffutils system-release findutils gawk gcc gcc-c++ grep gzip info make patch redhat-rpm-config rpm-build sed shadow-utils tar unzip util-linux which xz
+    fi
     # builddeps+runtime deps
-    yum install -y $pkg
+    pkg_builddep $pkg
+    pkg_install $pkg
     rpm -e $pkg
 }