Announcing Chainguard EOL Grace Period: Time and Flexibility for Updating Software
Now Available in Beta
We’re excited to announce the Beta release of EOL Grace Period, Chainguard’s new product for container images that will support customers as they transition off of end-of-life (EOL) software.
Relying on unmaintained open source is common among enterprises, as it can be costly and complex to migrate to updated versions. However, EOL software quickly accumulates vulnerabilities (CVEs) and becomes a significant source of supply chain security risk. As customers approached us with this challenge, Chainguard identified that over 99% of the CVEs identified in the first six months after the EOL date are actually in the underlying dependencies – as opposed to the primary runtime or application package. And because Chainguard has built its own Linux distribution, with granular control over the entire supply chain, we can update those underlying dependencies, rebuild EOL software, and deliver container images that are free of CVEs.
Productizing these capabilities led us to this Beta launch of EOL Grace Period, under which Chainguard will remediate CVEs and rebuild EOL images for up to six months past the initial EOL date. In doing so, Chainguard will reduce the software supply chain threats stemming from unmaintained software and support a gradual transition to up-to-date software — ultimately giving busy engineering teams more time for migration planning and execution. See below for a demo of these capabilities:
In this blog post, we’ll go deeper into the motivations for building EOL Grace Period and explain the value Chainguard will deliver to customers.
Status Quo Challenges with EOL Software
There are a few primary reasons why an enterprise might be relying on EOL software:
Release Cycle Timing: Enterprise engineering organizations often have long software release schedules (over three months in some cases) that makes updating software versions challenging. Updating software in the middle of a cycle could require significant application refactoring to account for functionality changes between tagged releases, and doing so introduces additional overhead for engineering teams.
Bugs in New Versions: Newer version streams of software can introduce novel bugs that inhibit the feasibility of updates. As a result, teams continue relying on EOL software to ensure that they can support their end customers and continue to deliver functional software.
Managing Open Source at Scale: Every open source project has its own release cycle, versioning philosophy, and maintenance cadence. For an enterprise relying on thousands of different components, it is obviously difficult to track end of life dates, plan a migration, and execute the transition while mitigating breakage. Naturally, projects fall through the cracks and end up living on as unmaintained software.
In all cases, customers relying on EOL software are no longer benefiting from security patches released by upstream maintainers. As a result, they have limited support for the elimination of vulnerabilities accruing in their environment. This not only introduces software supply chain security risk, but also the risk of non-compliance with regulatory requirements that mandate CVE elimination under SLAs (FedRAMP, PCI DSS, HIPAA, and more).
Chainguard’s Solution: EOL Grace Period
To solve the challenges of unmaintained software and CVE proliferation for our customers, we built EOL Grace Period as a new product for Chainguard Images customers. Under an EOL Grace Period, Chainguard will automatically address CVEs in the non-primary packages (runtime dependencies, linked libraries, supporting packages, etc.) underpinning an EOL image for up to six months after the image’s EOL date. That means that as long as the image continues to build within the six month timeframe, Chainguard will deliver minimal, low-CVE container images to our customers relying on legacy software. The below graphic helps illustrate the end state of EOL Grace Period with a hypothetical example.
There are a few key pillars of value that Chainguard will deliver with EOL Grace Period:
Hardened Security Posture: For customers relying on legacy container images that are no longer supported by upstream maintainers, Chainguard will eliminate vulnerabilities in the non-primary packages. Enterprises will be able to rely on legacy software without accepting an overwhelming volume of software supply chain risks.
Flexibility and Time: By providing a grace period during which customers can gradually transition to updated software, Chainguard delivers flexibility to busy engineering teams simply because they have more time. Customers in the middle of release cycles don’t have to take on unnecessary refactoring, and customers running into bugs in the latest versions of software can wait for upstream support before migrating.
CVE Minimization – Extending the SLA: Chainguard’s SLA for CVE remediation only applies to supported software. Previously, that meant we could not extend our SLA to EOL images for any period of time. Now, with EOL Grace Period, we will extend our CVE remediation SLA to the non-primary packages in an EOL image.
We are providing EOL Grace Period to give customers flexibility and cushion when transitioning to newer software. However, we always encourage our customers to deploy the latest and greatest versions of our images — it is the best way to implement engineering and security best practices, eliminate software supply chain risks like CVEs, and, ultimately, build better software.
Getting Started with EOL Grace Period
We’re excited to hear your feedback as you deploy EOL images guarded under Chainguard’s EOL Grace Period. It will play a key role in shaping our future plans to incorporate additional EOL capabilities that deliver even more value.
If you’d like to learn more about EOL Grace Period or how Chainguard’s minimal, zero-CVE containers can transform your software supply chain, reach out today. Existing Chainguard Images customers can get started with EOL Grace Period by reaching out directly to their account teams and exploring our docs.
Share this article
Related articles
- Product
Introducing the Self-Serve Catalog Experience
Chainguard launches the Self-Serve Experience for Catalog customers: instantly add, rename, or remove container images from our catalog, no tickets required.
Tony Camp, Staff Product Manager
- Product
Custom Assembly Updates: Create Multiple, Customized Variants of a Chainguard Container
Customize Chainguard Containers with the latest Custom Assembly update. You can create, edit, and manage secure, zero-CVE image variants directly in the console.
Tony Camp, Staff Product Manager
- Product
Class in Session: Chainguard Contributes to the Higher Education Community
Catch up on what Chainguard is doing with higher education institutions to advance open source security and build the next generation of innovation.
Ewan Simpson, Higher Education Advocate, and SJ Cushing, Field Marketing Manager, Higher Education
- Product
Secure and Free MinIO Chainguard Containers
MinIO pulled its free images—but Chainguard has you covered. Get zero-CVE, continuously built MinIO and MinIO Client containers, free and secure from Chainguard.
Manfred Moser, Senior Principal Developer Relations Engineer, Dimitri John Ledkov, Senior Principal Software Engineer, Lisa Tagliaferri, Senior Director, Developer Enablement, and Aaditya Jain, Senior Product Marketing Manager
- Product
Chainguard Libraries for Python: Now Generally Available with CVE Remediation and Malware Protection
Chainguard Libraries for Python, trusted open source language libraries designed for CVE remediation and malware protection, is now generally available.
Bria Giordano, Director, Product Marketing, and Anushka Iyer, Product Marketing Manager
- Product
Shifting Left: Why I’m Building at Chainguard
Chainguard SVP of Product Patrick Donahue shares why he is excited to join Chainguard and how he plans to help build products developers love.
Patrick Donahue, SVP of Product