OK, so a bootable thumb drive rather than a read-only ISO image?

I mean, it should be possible to give it an update function which you can run from any utility host, rather than requiring a live install at the moment you want to test a new machine.

That update function could do normal package management and repository things with digital signature checks, etc.

And it could be done ahead of time to support sneaker-net scenarios, i.e. where you won't have networking on the new machine that is being burned-in/validated.