diff --git a/.mkosi/mkosi.fedora b/.mkosi/mkosi.fedora
index 0af20c924a..478703c41a 100644
--- a/.mkosi/mkosi.fedora
+++ b/.mkosi/mkosi.fedora
@@ -63,6 +63,7 @@ BuildPackages=
         libxslt
         lz4-devel
         make
+        diffutils
         pam-devel
         pkgconfig
         python3-devel
diff --git a/TODO b/TODO
index a4cad5757f..9f6f13e2c2 100644
--- a/TODO
+++ b/TODO
@@ -618,6 +618,10 @@ Features:
   - maybe make copying of /etc/resolv.conf optional, and skip it if --read-only
     is used
 
+* dissect
+  - refuse mounting over a mount point
+  - automatically discover .roothash files in dissect, similarly to nspawn
+
 * machined:
   - add an API so that libvirt-lxc can inform us about network interfaces being
     removed or added to an existing machine
diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c
index e3c96b7407..f2f1e135ec 100644
--- a/src/dissect/dissect.c
+++ b/src/dissect/dissect.c
@@ -95,21 +95,25 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_flags |= DISSECT_IMAGE_READ_ONLY;
                         break;
 
-                case ARG_DISCARD:
+                case ARG_DISCARD: {
+                        DissectImageFlags flags;
+
                         if (streq(optarg, "disabled"))
-                                arg_flags &= ~(DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_DISCARD|DISSECT_IMAGE_DISCARD_ON_CRYPTO);
+                                flags = 0;
                         else if (streq(optarg, "loop"))
-                                arg_flags = (arg_flags & ~(DISSECT_IMAGE_DISCARD|DISSECT_IMAGE_DISCARD_ON_CRYPTO)) | DISSECT_IMAGE_DISCARD_ON_LOOP;
+                                flags = DISSECT_IMAGE_DISCARD_ON_LOOP;
                         else if (streq(optarg, "all"))
-                                arg_flags = (arg_flags & ~(DISSECT_IMAGE_DISCARD_ON_CRYPTO)) | DISSECT_IMAGE_DISCARD_ON_LOOP | DISSECT_IMAGE_DISCARD;
+                                flags = DISSECT_IMAGE_DISCARD_ON_LOOP | DISSECT_IMAGE_DISCARD;
                         else if (streq(optarg, "crypt"))
-                                arg_flags |= DISSECT_IMAGE_DISCARD_ON_LOOP | DISSECT_IMAGE_DISCARD | DISSECT_IMAGE_DISCARD_ON_CRYPTO;
+                                flags = DISSECT_IMAGE_DISCARD_ANY;
                         else {
                                 log_error("Unknown --discard= parameter: %s", optarg);
                                 return -EINVAL;
                         }
+                        arg_flags = (arg_flags & ~DISSECT_IMAGE_DISCARD_ANY) | flags;
 
                         break;
+                }
 
                 case ARG_ROOT_HASH: {
                         void *p;
diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h
index 902c8d4a37..175ddd8ea0 100644
--- a/src/shared/dissect-image.h
+++ b/src/shared/dissect-image.h
@@ -61,9 +61,12 @@ static inline int PARTITION_VERITY_OF(int p) {
 
 typedef enum DissectImageFlags {
         DISSECT_IMAGE_READ_ONLY = 1,
-        DISSECT_IMAGE_DISCARD_ON_LOOP = 2,   /* Turn on "discard" if on loop device and file system supports it */
+        DISSECT_IMAGE_DISCARD_ON_LOOP = 2,   /* Turn on "discard" if on a loop device and file system supports it */
         DISSECT_IMAGE_DISCARD = 4,           /* Turn on "discard" if file system supports it, on all block devices */
         DISSECT_IMAGE_DISCARD_ON_CRYPTO = 8, /* Turn on "discard" also on crypto devices */
+        DISSECT_IMAGE_DISCARD_ANY = DISSECT_IMAGE_DISCARD_ON_LOOP |
+                                    DISSECT_IMAGE_DISCARD |
+                                    DISSECT_IMAGE_DISCARD_ON_CRYPTO,
 } DissectImageFlags;
 
 struct DissectedImage {