A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)

This weekend at Texas Linux Fest 2025 in Austin, I shared something new with the open source community onstage: the first-ever CVE-free, vulnerability-free Raspberry Pi image.

Why Raspberry Pi

The Raspberry Pi has become one of the most beloved platforms for developers, tinkerers, educators, and makers. It powers classroom projects, home labs, robotics experiments, and even production systems in surprising places. But like all Linux-based systems, Raspberry Pis can accumulate vulnerabilities over time—often unnoticed by those using them.

At Chainguard, we’ve spent the last few years proving that it’s possible to eliminate vulnerabilities from container images, Linux distros, and open source software supply chains. Now we’re bringing that same expertise to the maker community.

A Small Gift to the Community

These Raspberry Pi images are being released as a gift to the developer community. This is not a commercial product, nor is it intended for production use at this time—it’s very much a beta experiment for tinkering and exploration.

By design, we haven’t implemented an in-place update system, so please think of them as a secure starting point—but not something you should rely on for critical workloads. Rather, this is an important demonstration of what is possible with Chainguard OS!

What Makes This Special

As of publication, these Raspberry Pi images are:

1. Completely CVE-free: Zero known vulnerabilities at the time of build

2. Hardened and secure: Using Chainguard’s proven processes for supply chain security

3. First of their kind: To our knowledge, no other Raspberry Pi images in the maker community have ever shipped vulnerability-free

Yes, there will be some rough edges, as this one of many developer-led experiments at Chainguard. But it’s also a milestone: proof that even hobbyist systems can start life free from vulnerabilities.

Where We Go From Here

We’d love to hear from you. If the response to these images is strong, our engineering and product teams can take the next step—building the infrastructure needed to keep Raspberry Pis continuously up to date and secure.

For now, we hope you’ll:

• Download the image here

• Uncompress it

  • $ gunzip rpi-generic-docker-arm64-*.raw.gz

• Write it to an sdcard

  • $ sudo dd if=rpi-generic-docker-arm64-*.raw of=/dev/sda bs=1M

• Boot it up on your Pi 4 or Pi 5

  • Username / password is “linky” / “linky”

• Scan them, test them, break them

  • And share your feedback in our community Slack channel

Chainguard exists to make open source software trustworthy by default. Bringing a hardened Raspberry Pi image to the maker community is one small way we’re saying thank you—and starting a conversation about what secure-by-default could look like, even in our hobby projects.