Chainguard Takes Over Maintenance Of Aging Oss Projects

Chainguard coming announced Chainguard EmeritOSS, its caller exemplary for supporting mature unfastened root projects and semipermanent unfastened root package (OSS) sustainability for nan community.

“We’re creating a unchangeable and predictable location for projects that person reached this stage,” wrote Erin Glass, unit merchandise manager, Dan Lorenc, CEO and co-founder, and Kim Lewandowski, CSO and co-founder, successful a blog post.

Mature OSS projects often stay embedded successful accumulation systems aft maintainers move on. In an question and reply pinch The New Stack, Lorenc mentioned past year’s xz-utils incident — wherever a backdoor was astir introduced aft nan 20-year maintainer wanted to discontinue — exemplifies nan risks erstwhile there’s nary safe modulation path.

“Last year’s xz-utils incident demonstrated really terrible nan consequences tin beryllium erstwhile there’s nary clear way for maintainers to measurement distant safely,” nan Chainguard station reads. “When nan original maintainer wanted to discontinue aft 20 years of committedness to nan project, a caller contributor gradually gained spot and past astir introduced a blase backdoor that could person compromised countless systems crossed nan industry.”

Indeed, galore unfastened root projects autumn into a grey area betwixt progressive improvement and complete abandonment, Chainguard said. “They’re unchangeable and wide utilized but still request minimal attraction for information patches, dependency updates, and compiler upgrades. When maintainers move on, these projects tin go information risks.”

Kaniko Was First

“In June 2025, erstwhile Google announced it was archiving nan Kaniko project, immoderate of our customers reached retired to show america really disruptive nan alteration was to their workflows,” Chainguard said. “We stepped successful pinch maintenance-only support connected our fork of Kaniko to thief them safely usage aliases modulation distant from Kaniko.”

Kaniko is portion of nan EmeritOSS program.

I covered that news and wrote: “Kaniko, a instrumentality that enables building Docker images inside Kubernetes clusters without privileged containers, has go foundational infrastructure for organizations crossed financial services, defense, and different regulated industries.”

Today, Chainguard said, “With Kaniko, we’ve already delivered CVE [common vulnerabilities and exposures] fixes, dependency updates, and maintained images to support customer workloads moving safely during their migration period.”

In addition, coming Chainguard added 2 further inductees into nan EmeritOSS program: Kubeapps and ingress-nginx, 2 devices whose maintainers person reached earthy life rhythm transitions. As portion of nan program, Chainguard is enabling these projects to enactment unafraid and operational for teams who dangle connected them.

“Having nan anticipation to get a supported ingress-nginx allows america to walk much clip to measure nan scheme to move teams to different ingress controller aliases gateway API,” said Louis Gisarov, DevOps head astatine Rogers Communications, successful a statement. “Chainguard’s determination to return connected nan attraction of ingress-nginx gives america assurance that we tin proceed to run securely. It’s awesome to spot an statement measurement successful to support captious OSS successful a measurement that respects maintainers and protects users astatine nan aforesaid time.”

“Our forked, stability-focused versions will stay freely disposable connected GitHub successful root shape only,” Chainguard said. “Organizations that for illustration a secure, continuously maintained instrumentality image aliases APK tin opt for our commercialized distribution.”

Chainguard EmeritOSS Team

Chainguard has initially established a squad of 2 to 3 group to activity connected nan MeritOSS program, Lorenc said.

“We’re experimenting now conscionable to spot really large we tin standard this. Because nan activity is bursty. Some months, immoderate quarters, immoderate years, location mightiness beryllium zero activity for immoderate fixed project. Other times, it’s going to get busy,” he told The New Stack. “So, we benignant of want to push nan limits to spot really galore of these projects a mini squad tin really do this for and past fig retired what it’ll look for illustration arsenic we commencement to standard it up.”

Although nan squad is starting mini to trial nan exemplary earlier scaling, it is leveraging Chainguard’s existing automation infrastructure for vulnerability patching and utilizing AI devices to standard support crossed perchance hundreds aliases thousands of projects, Lorenc said.

Filling nan Gap

Without a system modulation model, organizations that dangle connected these mature projects are near vulnerable. EmeritOSS helps capable this gap. It provides a secure, stability-focused safe landing for basal unfastened root projects that don’t request caller features but do require ongoing care, Lorenc said.

According to nan blog post, Chainguard offers various levels of support depending connected organization expectations and nan project’s life cycle, including:

• “Creating a nationalist fork of nan task to sphere ongoing entree to nan codebase. These are not dispute forks — our extremity is continuity, not competition.
• “Updating limitations to hole vulnerabilities and creating caller releases pinch nan updates.
• “Publishing clear archiving outlining support scope and work levels.
• “Building EmeritOSS projects from root and adding them to our image catalog erstwhile needed, on pinch updated APK packages wherever applicable.”

Chainguard will not support caller characteristic improvement aliases proactively prosecute pinch organization issues aliases propulsion requests because these projects are mature and don’t require it. “Our occupation is to support them safely successful that state,” Lorenc said.

However, “Our forked, stability-focused versions will stay freely disposable connected GitHub successful root shape only. Organizations that for illustration a secure, continuously maintained instrumentality image aliases APK tin opt for our commercialized distribution,” nan Chainguard station said.

“These are not dispute forks — our extremity is continuity, not competition,” Lorenc said.

Meanwhile, Lorenc summed up nan extremity of nan EmeritOSS program: “There are 2 kinds of projects retired there, ones wherever you attraction what type number you’re on, and ones wherever you don’t cognize what type number you’re on. And this is for nan latter.”

Chainguard frames this arsenic portion of their broader OSS commitment, citing their Sigstore on-call work and GitHub Secure Open Source Fund contributions.

“I deliberation complete time, this is astir apt thing immoderate instauration should effort to prime up, but we want to beryllium it useful earlier we do thing for illustration that,” Lorenc said. “You know, we’re chatting pinch folks for illustration nan Linux Foundation and different groups to spot if this makes consciousness agelong term.”

Group Created pinch Sketch.