[microtonal]

And when one of the usual system libraries is compromised (glibc, libssl, libxml), everyone need to update their containers.

To make this workable, I guess you have to union mount the application-specific filesystem over a filesystem with ABI-stable system libraries.

[krakensden]

The systemd team has some goals around this, but the current 'state of the art' is that you reship all your containers.

[vezzy-fnord]

I'm not sure how the systemd btrfs volume scheme actually solves this issue. The only ones who seem to have solved the problem are Nix through the use of isolated environment builds, associating packages via hashes and building anew for every discrepancy (new version, different configuration switch) while associating it in a store.