Announcing Chainguard EOL Grace Period: Time and Flexibility for Updating Software

Now Available in Beta

We’re excited to announce the Beta release of EOL Grace Period, Chainguard’s new product for container images that will support customers as they transition off of end-of-life (EOL) software.

Relying on unmaintained open source is common among enterprises, as it can be costly and complex to migrate to updated versions. However, EOL software quickly accumulates vulnerabilities (CVEs) and becomes a significant source of supply chain security risk. As customers approached us with this challenge, Chainguard identified that over 99% of the CVEs identified in the first six months after the EOL date are actually in the underlying dependencies – as opposed to the primary runtime or application package. And because Chainguard has built its own Linux distribution, with granular control over the entire supply chain, we can update those underlying dependencies, rebuild EOL software, and deliver container images that are free of CVEs.

Productizing these capabilities led us to this Beta launch of EOL Grace Period, under which Chainguard will remediate CVEs and rebuild EOL images for up to six months past the initial EOL date. In doing so, Chainguard will reduce the software supply chain threats stemming from unmaintained software and support a gradual transition to up-to-date software — ultimately giving busy engineering teams more time for migration planning and execution. See below for a demo of these capabilities:

In this blog post, we’ll go deeper into the motivations for building EOL Grace Period and explain the value Chainguard will deliver to customers.

Status Quo Challenges with EOL Software

There are a few primary reasons why an enterprise might be relying on EOL software:

1. Release Cycle Timing: Enterprise engineering organizations often have long software release schedules (over three months in some cases) that makes updating software versions challenging. Updating software in the middle of a cycle could require significant application refactoring to account for functionality changes between tagged releases, and doing so introduces additional overhead for engineering teams.

2. Bugs in New Versions: Newer version streams of software can introduce novel bugs that inhibit the feasibility of updates. As a result, teams continue relying on EOL software to ensure that they can support their end customers and continue to deliver functional software. 

3. Managing Open Source at Scale: Every open source project has its own release cycle, versioning philosophy, and maintenance cadence. For an enterprise relying on thousands of different components, it is obviously difficult to track end of life dates, plan a migration, and execute the transition while mitigating breakage. Naturally, projects fall through the cracks and end up living on as unmaintained software. 

In all cases, customers relying on EOL software are no longer benefiting from security patches released by upstream maintainers. As a result, they have limited support for the elimination of vulnerabilities accruing in their environment. This not only introduces software supply chain security risk, but also the risk of non-compliance with regulatory requirements that mandate CVE elimination under SLAs (FedRAMP, PCI DSS, HIPAA, and more).

Chainguard’s Solution: EOL Grace Period

To solve the challenges of unmaintained software and CVE proliferation for our customers, we built EOL Grace Period as a new product for Chainguard Images customers. Under an EOL Grace Period, Chainguard will automatically address CVEs in the non-primary packages (runtime dependencies, linked libraries, supporting packages, etc.) underpinning an EOL image for up to six months after the image’s EOL date. That means that as long as the image continues to build within the six month timeframe, Chainguard will deliver minimal, low-CVE container images to our customers relying on legacy software. The below graphic helps illustrate the end state of EOL Grace Period with a hypothetical example.

There are a few key pillars of value that Chainguard will deliver with EOL Grace Period:

1. Hardened Security Posture: For customers relying on legacy container images that are no longer supported by upstream maintainers, Chainguard will eliminate vulnerabilities in the non-primary packages. Enterprises will be able to rely on legacy software without accepting an overwhelming volume of software supply chain risks. 

2. Flexibility and Time: By providing a grace period during which customers can gradually transition to updated software, Chainguard delivers flexibility to busy engineering teams simply because they have more time. Customers in the middle of release cycles don’t have to take on unnecessary refactoring, and customers running into bugs in the latest versions of software can wait for upstream support before migrating. 

3. CVE Minimization – Extending the SLA: Chainguard’s SLA for CVE remediation only applies to supported software. Previously, that meant we could not extend our SLA to EOL images for any period of time. Now, with EOL Grace Period, we will extend our CVE remediation SLA to the non-primary packages in an EOL image. 

We are providing EOL Grace Period to give customers flexibility and cushion when transitioning to newer software. However, we always encourage our customers to deploy the latest and greatest versions of our images — it is the best way to implement engineering and security best practices, eliminate software supply chain risks like CVEs, and, ultimately, build better software.

Getting Started with EOL Grace Period

We’re excited to hear your feedback as you deploy EOL images guarded under Chainguard’s EOL Grace Period. It will play a key role in shaping our future plans to incorporate additional EOL capabilities that deliver even more value.

If you’d like to learn more about EOL Grace Period or how Chainguard’s minimal, zero-CVE containers can transform your software supply chain, reach out today. Existing Chainguard Images customers can get started with EOL Grace Period by reaching out directly to their account teams and exploring our docs.