Changes to static, Git, and BusyBox Developer Images
We’re making changes to the static, git, and BusyBox Chainguard Developer Images to improve the security posture of these Images. For most users, these changes will have no effect and require no changes. The affected images are:
cgr.dev/chainguard/static:latestcgr.dev/chainguard/git:latest, cgr.dev/chainguard/git:latest-root, cgr.dev/chainguard/git:latest-dev, and cgr.dev/chainguard/git:latest-root-devcgr.dev/chainguard/busybox:latest
The change we are making is to move these images from an Alpine Linux base to a Wolfi base on July 15, 2024. Going forward, all images on cgr.dev will be Wolfi-based.
The Wolfi-based images are available now for people to test and verify there are no breakages. The following tables list the images that are changing on the left, and the equivalent Wolfi images on the right. From July 15, these tags will point to the same images.
For the Chainguard Registry cgr.dev:
And for the Docker Hub Registry:
For the vast majority of users, this change should have no impact on how you are using Chainguard Images. If you are using the Git, static, or BusyBox images, we recommend you confirm that your software is not impacted by swapping out and testing the relevant Wolfi-based image prior to the change.
What’s changing?
If you use an architecture that isn't supported by Wolfi, these changes will impact you. Wolfi-base images are only built for arm64/aarch64 and x86_64/amd64. It is also possible that some users may be relying on Alpine specific behavior or copying binaries compiled against Alpine dependencies into images. This won't be the case for the vast majority of users, but please make sure to test the new images, especially if you are doing anything unconventional with your use case.
After the change on July 15, 2024, both tags will point to the same, Wolfi-based image. As the tags in the right-hand column of the above tables will continue to exist after the change, you can update your tags now and leave them.
While the best option for most people will be to move to Wolfi-based Chainguard Developer Images, we have made available some Alpine-based images on the ghcr.io registry. If you face issues with an unsupported architecture or an unexpected issue with the Wolfi-based images, these images may be the right solution for you at this time.
Please note that while we intend for ghcr.io images to be available long-term, they will be updated using commercially reasonable efforts, and will not receive monitoring and will not be synced to Docker Hub.
Why are you making these changes?
When we first started building Chainguard Images, we experimented with Alpine Linux as a base, before developing our own Wolfi Linux distribution. We now have over 650 images available in our Images Directory and nearly all of them are based on Wolfi. Providing a consistent experience for our users that is built on Wolfi is our priority going forward.
After this change on July 15, 2024, if you're on cgr.dev/chainguard or docker.io/chainguard, you will be using a Wolfi-based Chainguard Image. Providing all Images on the Wolfi Linux distribution, which we created here at Chainguard, allows us to have greater control over the security and quality of packages that are used in Chainguard Images. This enables us to mitigate CVEs that occur in Wolfi packages quickly and effectively, so that we don’t need to rely on releases or updates from third parties like the Alpine Linux distribution.
If you are an existing Chainguard Images customer and believe you are impacted by these changes, please reach out to Chainguard Support. If you are a free Developer tier user, please open an issue on the images repository if you run into problems migrating. We offer Migration Guides on Chainguard Academy that include an Alpine compatibility reference for migrating to Wolfi.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.