How do we provide platform engineers and security architects with the same immutability and integrity for the operating system (OS) that they expect from containers? While OSTree pioneered transactional deployments, the ecosystem has shifted toward OCI images and sealed, hardware-rooted attestation, leaving a gap for a standardized, verifiable OS delivery path.

This talk introduces a shift in image-mode Linux, aligning the OS directly with the OCI model using bootc and composefs. By consuming OCI images and materializing them through composefs, we create a bootable, verifiable filesystem with strong lifecycle and update guarantees.

We compare this approach with traditional OSTree methods, examining layering, updates, and operational trade-offs. We will demonstrate deploying a composefs-backed system on Fedora 44.

After this talk, attendees will be ready to build, verify, and deploy OCI-native operating systems with production-grade integrity.