A year ago we announced Wolfi, the first community Linux un-distro designed for minimalism, rapid updates, and lightning-fast CVE remediation. Our hope was that this combination of characteristics would provide secure, hardened, zero-known CVE containers. Since Wolfi’s release, the team of maintainers at Chainguard and contributors in the community have been focused on helping developers address software supply chain security challenges by providing a foundation that allows you to build software right from the start.
Here’s quick snapshot of Wolfi’s progress over the past year:
Technical innovations in Wolfi
While distros have been around since the age of computing, we’ve taken a novel approach with Wolfi to address a new era of computing that’s reality today - one focused on rapid adoption of containerized and cloud-native workloads. With Wolfi, we’re able to address a unique set of problems. One principle that was important for Wolfi’s design was to prioritize update speed rather than stability. We believe fast updates are a distro’s responsibility and that users should never have to wait on your distro to release a fix. Wolfi applies a rolling release cadence and doesn’t have versions, only packages that are rapidly receiving version updates. This ensures that Wolfi users can use vulnerability-free packages as soon as possible.
Over the past year, the Wolfi community has achieved many technical milestones that are enabling the project to become the distro for cloud-native development and software supply chain security innovation. These include:
Wolfi-act: We released an open-source project called wolfi-act, which leverages Wolfi packages to be used dynamically within GitHub Actions. Using wolfi-act, you can specify a comma-separated list of packages available in Wolfi that you wish to install into an ephemeral environment using the packages input and the command(S) input.
64-bit Arm support: We build 64-bit ARM versions for all Wolfi packages. Our build system performance tunes our packages specifically for the ARM chips found in the major cloud providers including AWS, GCP and Azure, allowing users to further capitalize on Arm's power consumption and cost benefits.
Memory safety: We introduced the Rustls TLS library into Wolfi in partnership with the Internet Security Research Group (ISRG). This was an extremely important milestone because memory safety vulnerabilities are responsible for MANY critical, remotely exploitable, and in-the-wild attacks we see on software.
Fully Bootstrapping Go and Java from source: A full-source bootstrap is one where an entire language ecosystem is bootstrapped purely from source code. Because Wolfi is built for a secure software supply chain, having a complete understanding of a language ecosystem’s provenance is extremely important. We’ve been working on full-source bootstraps for all the languages Wolfi supports. Today, Wolfi is one of the few distributions which has full provenance all the way back to a purely source-based build of Java and same for Go. In the future, we will add full-source bootstrapping for Rust and other language ecosystems.
A growing ecosystem of scanner support: We have been amazed by the amount of support in the community for Wolfi and in particular how quickly various scanners added support for our security feeds, including Docker Scout, Grype, Prisma Cloud, Snyk and Trivy.
Helping open source developers in real time: Sourcegraph adopted the Wolfi toolchain to help solve their container challenges: patching vulnerabilities and the dependency supply chain. Wolfi + apko + melange helped them achieve fewer vulnerabilities, roll out easier patching, simplified dependencies and fast, reliable builds.
What’s to come
Our intention with Wolfi is to be a community-driven project that becomes the most trusted distro for containerized workloads. We also hope that builders everywhere consider what is possible to create with Wolfi to solve a variety of challenges. For example, we would love to see how Wolfi can be used in more scenarios such as embedded computing, where Wolfi's commitment to minimalism and modularity is potentially a great fit. We will continue to focus on building the project and community over the next year and beyond, supporting new architectures, workloads and more.
One clear use case of Wolfi in practice today is Chainguard Images–which is why we set out to build the project.Chainguard Images is just one of the solutions Wolfi has enabled and we encourage more users and the community to explore what's possible to build with Wolfi for years to come.
And if you made it this far and still don’t know what a Wolfi is.The name Wolfi was inspired by the world's smallest octopus, because of the way its packages are designed to be granular and independent to support minimal images.
Monthly community call - 1st Wednesday of every month at 12pm ET! Add the invite from Wolfi’s public calendar to your schedule!
Questions to discuss? Submit them to our GitHub Community discussions forum.
Get started with Wolfi using the Chainguard Academy “Hello Wolfi” kit.