On Tue, Aug 27, 2019 at 01:22 John Harris wrote:
[snip]
No online updates is the exact issue I see with this. That's a
security nightmare.
If you don't have a package manager there, it simply will not be updated.
It'll be installed once, then either left there forever, un-updated, with tons
of vulnerabilities piling up.
IIUC the proposal from Christian to use rpm-ostree as a build stage to
produce the runtime container, then you can still do online update, but
instead of commiting the result of a dnf update, you commit a new
rpm-ostree composed rootfs.
Regards,
-Tristan