Strictly speaking Fedora doesn't make you do the first one, but it's
*well* understood for a long time how fragile this is which is why
offline updates was created.
Well, this is a surprise to me. I guess my faith in dnf was misplaced.
"...Updating online works 99.8% of the time. The 0.1% time it will corrupt random bits of your file-system, and 0.1% of the time it will leave you vulnerable to the security issue you thought you just "fixed". The only way to fix this so that online updates are safe is to redesign the centralised shared package model we use for distributing applications. The workaround is to use offline updates..."