A Bug is a Bug, but a Patch is a Policy: The Case for Bootable Containers
Summary
The post argues that traditional patching based on CVSS scores is failing after the Linux kernel CNA started assigning CVEs without scores. It advocates bootable containers as a patching policy, treating the OS as an image for atomic updates and environmental triage, reducing update fatigue and enabling faster, policy-driven security the CI/CD way. It also references Chainguard as a velocity approach and points to a prior post on achieving a zero-CVE OS for VMs.