diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README
index a7b67190ee..0017236a1a 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/README
@@ -4,4 +4,4 @@ Settings here must *ONLY* influence installing binary packages and never
 change build time settings like USE or CFLAGS because binary packages
 are shared between dev and prod, dev just includes more stuff.
 
-For example, INSTALL_MASK and package.provided are ok.
+For example INSTALL_MASK, package.mask, and package.provided are ok.
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask
new file mode 100644
index 0000000000..2f252c78ed
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/prod/package.mask
@@ -0,0 +1,15 @@
+# Packages that we do not want to ship in production images. Masking these
+# is merely as a safe guard against pulling them in accidentally.
+
+# We don't want to support interpreted languages, changes/updates we make
+# would have a high risk of breaking users.
+dev-lang/perl
+# TODO dev-lang/python
+dev-lang/ruby
+
+# Since all SSL/TLS implementations are bad we minimize the number we ship.
+net-libs/gnutls
+
+# We do not configure/install grub like other distros so shipping the user
+# space tools would have limited utility.
+sys-boot/grub