A year ago or so I tried to install dcos and test it a bit. What stuck with me the most of this test, was that I got a shell script with a blob inside, that I guess, would be dd'ed to a block device.
I take it in this blob are some default 'tools' like the kernel, shell scripts, netfilter stuff, bridge toos, java etc. I what I totally do not like about that is: - how do I know dcos is updating these binaries on time? - how do I know dcos is monitoring security updates on these tools and applies them on time? - how do I know the tools have not been 'infected' by malware when dcos is packaging them? (I know it is far-fetched, but still you do hear about development environments being hacked) Eg mesosphere has around 300 vs the 12000 employees of RedHat, and RedHat's has made a core business of maintaining its Enterprise linux. If you want to distribute a blob, why not then a rhel or centos one (eg like Nutanix does). And create custom dcos rpms. This way you can give clients the option to install your blob or only some specific dcos rpms. This way clients can have some guartee that the os is secured via their license subscription with RedHat.
