Chainguard Launches Wolfi, “Not Distributing” Linux

Open source visualization with icons and hand guidance

Studio Wright/Shutterstock

There are numerous Linux distributions which can be explicitly designed for containers. Even Microsoft has one, Widespread Base Linux (CBL)-Mariner. Different applications embrace Alpine Linux, Flatcar Container Linux, Pink Hat Enterprise Linux CoreOS (RHCOS), and RancherOS. Now Chainguard, a cloud-native software program safety firm, has a brand new tackle this widespread type of cloud-friendly Linux: Wolfi, “non-distribution”.

I requested Chainguard CEO and Founder Dan Lorenc at Open Supply Summit Europe in Dublin what he meant by “undistrbution”. He defined, “We name it a non-distribution as a result of that is technically right. Contained in the container, you could have every part besides Linux, proper? So, though it is based mostly on Linux, it is not likely right to name it a Linux distribution.”

Lornke continued that what most individuals would name a container Linux is “a distro that runs on {hardware} and will get you as much as the working time of the container. Alpine might be probably the most extensively used distro. To the purpose of not having a package deal supervisor.” It has simply sufficient to run your utility in containers, and that is it.

To make this new Linux variant, Lorink mentioned, “We employed a bunch of the unique Alpine workforce. However, Alpine was by no means constructed for containers. It was initially constructed for routers, firmware, and that type of factor. What made it so enticing to him was its dimension and safety” . Wolfie takes this straightforward strategy to the intense for safety.

additionally: Linus Torvalds says Rust will go to Linux 6.1

Lawrence defined: “We consider in decreasing dependencies as a lot as potential, simplifying the method of auditing, updating, and porting pictures, in addition to decreasing the potential assault floor. [named for the smallest and most flexible octopus] Designed from the bottom as much as take full benefit of those containerized environments with elevated safety. ”

Wolfie does extra than simply minimize all of the fats to safe himself. It additionally comes with built-in software program provide chain safety measures. Particularly, the primary options are:

  • Based mostly on Alpine Package deal Format (APK)
  • The packages are correct and ample to assist minimal pictures
  • Comes with a high-quality Construct Time Software program Invoice of Materials (SBOM) for all packages
  • A totally declarative and repeatable constructing system

In apply, Chainguard’s ubiquitous pictures are reconstructed each day from upstream sources. Photographs are signed by way of Sigstore, the signature and verification code commonplace, and are described in SBOM. This signature could be verified to point out that the picture is the picture you need and is tamper-free.

Chainguard claims that every package deal in these pictures is iterable by default. In different phrases, you’re going to get the identical picture in the event you create the package deal your self from the supply code. That is additionally ensured by the “ranges of the availability chain” of the software program enterprise (SLSA, spoken salsa). This can be a source-to-service safety framework to make sure the integrity of software program elements by defending towards unauthorized software program package deal adjustments.

additionally: Time to cease utilizing C and C++ for brand spanking new tasks, says Microsoft Azure CTO

All of those signatures, supply and SBOMs are saved in a brand new Open Container Initiative (OCI) registry together with pictures. You’ll be able to then confirm them utilizing Sigstore’s cosign instruments so you may belief the pictures.

Satirically, Lornek mentioned, “by updating every part and decreasing the variety of dependencies,” Chainguard makes it in order that “safety scanners like grype, Snyk, and trivy report so few vulnerabilities to our pictures that folks generally suppose their scanners don’t. However this discount considerably reduces the burden on groups liable for investigating and mitigating potential safety points.”

Together with Wolfi, Chainguard updates Chainguard Photographs, together with core pictures for impartial binaries, functions equivalent to Nginx, and improvement instruments equivalent to Go and C compilers.

So, in the event you like the concept of ​​having the newest code and full provide chain safety in your pictures, I extremely recommend attempting Wolfi. You are able to do this by searching and deciding on pictures from the Wolfi GitHub repository, they arrive with how-to documentation and could be simply built-in into your current product traces. And naturally, you may test the safety signature and SBOMs utilizing the cosign device.

Associated tales: