diff --git a/Makefile b/Makefile
index 49f38083a..74a74ab8b 100644
--- a/Makefile
+++ b/Makefile
@@ -8,33 +8,8 @@ all:
 install:
 	cp ocitools /usr/local/bin/ocitools
 
-rootfs.tar.gz: rootfs/bin/echo
-	tar -czf $@ -C rootfs .
-
-rootfs/bin/busybox: downloads/stage3-amd64-current.tar.bz2 rootfs-files
-	gpg --verify $<.DIGESTS.asc
-	(cd downloads && \
-		grep -A1 '^# SHA512 HASH' stage3-amd64-current.tar.bz2.DIGESTS.asc | \
-		grep -v '^--' | \
-		sha512sum -c)
-	sudo rm -rf rootfs
-	sudo mkdir rootfs
-	sudo tar -xvf downloads/stage3-amd64-current.tar.bz2 -C rootfs \
-		--no-recursion --wildcards $$(< rootfs-files)
-	sudo touch $@
-
-rootfs/bin/echo: rootfs/bin/busybox
-	sudo sh -c 'for COMMAND in $$($< --list); do \
-		ln -rs $< "rootfs/bin/$${COMMAND}"; \
-	done'
-
-downloads/stage3-amd64-current.tar.bz2: get-stage3.sh
-	./$<
-	touch downloads/stage3-amd64-*.tar.bz2
-
 clean:
-	rm -f ocitools runtimetest downloads/*
-	sudo rm -rf rootfs
+	rm -f ocitools runtimetest
 
 .PHONY: test .gofmt .govet .golint
 
diff --git a/README.md b/README.md
index f4686de5f..09a534e20 100644
--- a/README.md
+++ b/README.md
@@ -68,41 +68,3 @@ validating rlimits
 validating sysctls
 Runtime runc passed validation
 ```
-
-Building `rootfs.tar.gz`
-------------------------
-
-The root filesystem tarball is based on [Gentoo][]'s [amd64
-stage3][stage3-amd64] (which we check for a valid [GnuPG
-signature][gentoo-signatures]), copying a [minimal
-subset](rootfs-files) to the root filesytem, and adding symlinks for
-all BusyBox commands. To rebuild the tarball based on a newer stage3,
-just run:
-
-```
-$ touch get-stage3.sh
-$ make rootfs.tar.gz
-```
-
-### Getting Gentoo's Release Engineering public key
-
-If `make rootfs.tar.gz` gives an error like:
-
-```
-gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
-gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
-gpg: Can't check signature: public key not found
-```
-
-you will need to [add the missing public key to your
-keystore][gentoo-signatures].  One way to do that is by [asking a
-keyserver][recv-keys]:
-
-```
-$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2D182910
-```
-
-[Gentoo]: https://www.gentoo.org/
-[stage3-amd64]: http://distfiles.gentoo.org/releases/amd64/autobuilds/
-[gentoo-signatures]: https://www.gentoo.org/downloads/signatures/
-[recv-keys]: https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html
diff --git a/contrib/README.md b/contrib/README.md
new file mode 100644
index 000000000..e582aeaf5
--- /dev/null
+++ b/contrib/README.md
@@ -0,0 +1,3 @@
+# ocitools contrib
+
+The `contrib` directory contains various scripts, programs, and other helpful things which are not part of the core ocitools.
diff --git a/contrib/rootfs-builder/Makefile b/contrib/rootfs-builder/Makefile
new file mode 100644
index 000000000..296b0fca5
--- /dev/null
+++ b/contrib/rootfs-builder/Makefile
@@ -0,0 +1,27 @@
+rootfs.tar.gz: rootfs/bin/echo
+	tar -czf $@ -C rootfs .
+
+rootfs/bin/busybox: downloads/stage3-amd64-current.tar.bz2 rootfs-files
+	gpg --verify $<.DIGESTS.asc
+	(cd downloads && \
+		grep -A1 '^# SHA512 HASH' stage3-amd64-current.tar.bz2.DIGESTS.asc | \
+		grep -v '^--' | \
+		sha512sum -c)
+	sudo rm -rf rootfs
+	sudo mkdir rootfs
+	sudo tar -xvf downloads/stage3-amd64-current.tar.bz2 -C rootfs \
+		--no-recursion --wildcards $$(< rootfs-files)
+	sudo touch $@
+
+rootfs/bin/echo: rootfs/bin/busybox
+	sudo sh -c 'for COMMAND in $$($< --list); do \
+		ln -rs $< "rootfs/bin/$${COMMAND}"; \
+	done'
+
+downloads/stage3-amd64-current.tar.bz2: get-stage3.sh
+	./$<
+	touch downloads/stage3-amd64-*.tar.bz2
+
+clean:
+	rm -f downloads/*
+	sudo rm -rf rootfs
diff --git a/contrib/rootfs-builder/README.md b/contrib/rootfs-builder/README.md
new file mode 100644
index 000000000..cb5efd248
--- /dev/null
+++ b/contrib/rootfs-builder/README.md
@@ -0,0 +1,37 @@
+Building `rootfs.tar.gz`
+------------------------
+
+The root filesystem tarball is based on [Gentoo][]'s [amd64
+stage3][stage3-amd64] (which we check for a valid [GnuPG
+signature][gentoo-signatures]), copying a [minimal
+subset](rootfs-files) to the root filesytem, and adding symlinks for
+all BusyBox commands. To rebuild the tarball based on a newer stage3,
+just run:
+
+```
+$ touch get-stage3.sh
+$ make rootfs.tar.gz
+```
+
+### Getting Gentoo's Release Engineering public key
+
+If `make rootfs.tar.gz` gives an error like:
+
+```
+gpg --verify downloads/stage3-amd64-current.tar.bz2.DIGESTS.asc
+gpg: Signature made Thu 14 Jan 2016 09:00:11 PM EST using RSA key ID 2D182910
+gpg: Can't check signature: public key not found
+```
+
+you will need to [add the missing public key to your
+keystore][gentoo-signatures].  One way to do that is by [asking a
+keyserver][recv-keys]:
+
+```
+$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2D182910
+```
+
+[Gentoo]: https://www.gentoo.org/
+[stage3-amd64]: http://distfiles.gentoo.org/releases/amd64/autobuilds/
+[gentoo-signatures]: https://www.gentoo.org/downloads/signatures/
+[recv-keys]: https://www.gnupg.org/documentation/manuals/gnupg/Operational-GPG-Commands.html
diff --git a/downloads/.gitignore b/contrib/rootfs-builder/downloads/.gitignore
similarity index 100%
rename from downloads/.gitignore
rename to contrib/rootfs-builder/downloads/.gitignore
diff --git a/get-stage3.sh b/contrib/rootfs-builder/get-stage3.sh
similarity index 100%
rename from get-stage3.sh
rename to contrib/rootfs-builder/get-stage3.sh
diff --git a/rootfs-files b/contrib/rootfs-builder/rootfs-files
similarity index 100%
rename from rootfs-files
rename to contrib/rootfs-builder/rootfs-files