Home
Unchained
Open Source Blog

Small octopus and a big idea: The story of how a one-year old Linux un-distro is improving the cloud’s software supply chain

Team Wolfi

A year ago we announced Wolfi, the first community Linux un-distro designed for minimalism, rapid updates, and lightning-fast CVE remediation. Our hope was that this combination of characteristics would provide secure, hardened, zero-known CVE containers. Since Wolfi’s release, the team of maintainers at Chainguard and contributors in the community have been focused on helping developers address software supply chain security challenges by providing a foundation that allows you to build software right from the start.

Image of team behind Wolfi celebrating its 1-year anniversary with two birthday cakes.

Here’s quick snapshot of Wolfi’s progress over the past year:

  • 1,300+ package configs in the Wolfi repo and 18,000+ packages in the Wolfi index


  • More than 4,400 PRs merged in the Wolfi repo



  • We've achieved a package update interval--the time between an upstream source code release and a new Wolfi package release--that can be measured in hours, not days. Among projects using GitHub releases, the Wolfi update interval is less than 24 hours 80% of the time.


  • Widespread support of scanning tools for vulnerability scans in Wolfi, including Docker Scout, Grype, Snyk, Trivy and Wiz. Prisma Cloud is coming soon.

Technical innovations in Wolfi

While distros have been around since the age of computing, we’ve taken a novel approach with Wolfi to address a new era of computing that’s reality today - one focused on rapid adoption of containerized and cloud-native workloads. With Wolfi, we’re able to address a unique set of problems. One principle that was important for Wolfi’s design was to prioritize update speed rather than stability. We believe fast updates are a distro’s responsibility and that users should never have to wait on your distro to release a fix. Wolfi applies a rolling release cadence and doesn’t have versions, only packages that are rapidly receiving version updates. This ensures that Wolfi users can use vulnerability-free packages as soon as possible.

Over the past year, the Wolfi community has achieved many technical milestones that are enabling the project to become the distro for cloud-native development and software supply chain security innovation. These include:

Wolfi-act:

We released an open-source project called wolfi-act, which leverages Wolfi packages to be used dynamically within GitHub Actions. Using wolfi-act, you can specify a comma-separated list of packages available in Wolfi that you wish to install into an ephemeral environment using the packages input and the command(S) input.

64-bit Arm support:

We build 64-bit ARM versions for all Wolfi packages. Our build system performance tunes our packages specifically for the ARM chips found in the major cloud providers including AWS, GCP and Azure, allowing users to further capitalize on Arm's power consumption and cost benefits.

Memory safety:

We introduced the Rustls TLS library into Wolfi in partnership with the Internet Security Research Group (ISRG). This was an extremely important milestone because memory safety vulnerabilities are responsible for MANY critical, remotely exploitable, and in-the-wild attacks we see on software.

Fully Bootstrapping Go and Java from source:

A full-source bootstrap is one where an entire language ecosystem is bootstrapped purely from source code. Because Wolfi is built for a secure software supply chain, having a complete understanding of a language ecosystem’s provenance is extremely important. We’ve been working on full-source bootstraps for all the languages Wolfi supports. Today, Wolfi is one of the few distributions which has full provenance all the way back to a purely source-based build of Java and same for Go. In the future, we will add full-source bootstrapping for Rust and other language ecosystems.

A growing ecosystem of scanner support:

We have been amazed by the amount of support in the community for Wolfi and in particular how quickly various scanners added support for our security feeds, including Docker Scout, Grype, Prisma Cloud, Snyk and Trivy.

Helping open source developers in real time:

Sourcegraph adopted the Wolfi toolchain to help solve their container challenges: patching vulnerabilities and the dependency supply chain. Wolfi + apko + melange helped them achieve fewer vulnerabilities, roll out easier patching, simplified dependencies and fast, reliable builds.

What’s to come

Our intention with Wolfi is to be a community-driven project that becomes the most trusted distro for containerized workloads. We also hope that builders everywhere consider what is possible to create with Wolfi to solve a variety of challenges. For example, we would love to see how Wolfi can be used in more scenarios such as embedded computing, where Wolfi's commitment to minimalism and modularity is potentially a great fit. We will continue to focus on building the project and community over the next year and beyond, supporting new architectures, workloads and more.

One clear use case of Wolfi in practice today is Chainguard Images–which is why we set out to build the project.Chainguard Images is just one of the solutions Wolfi has enabled and we encourage more users and the community to explore what's possible to build with Wolfi for years to come.

And if you made it this far and still don’t know what a Wolfi is.The name Wolfi was inspired by the world's smallest octopus, because of the way its packages are designed to be granular and independent to support minimal images.

Get involved!

Monthly community call - 1st Wednesday of every month at 12pm ET! Add the invite from Wolfi’s public calendar to your schedule!

Questions to discuss? Submit them to our GitHub Community discussions forum.

Get started with Wolfi using the Chainguard Academy “Hello Wolfi” kit.

Find us on social media: Mastodon & X

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started