Home
Unchained
Research Blog

Get 'em while they're hot! How and why Wolfi releases are so fast

James Rawlings, Staff Software Engineer; John Speed Meyers, Manager, DevRel & Labs; and Adrian Mouat, Staff DevRel Engineer

TL;DR: Over 80 percent of package updates in the Wolfi Linux distribution happen within 24 hours, ensuring downstream consumers get up-to-date and vulnerability-free software quickly.



Keeping software up-to-date is simultaneously important (for reducing security risk), useful (for getting new features and squashing bugs), and a painful process (because updating usually requires developers and users to do something). That’s why software package repositories, like the one in the Wolfi community Linux undistribution, prioritize shipping new versions of upstream software when a new upstream version appears.

Repology, a project that monitors package repositories, measures the overall “freshness” of package repositories, highlighting the importance of rapid package updates to those parties who care about software packaging. Rapid updates provide downstream consumers the option of using a newer version, which is especially important when there are known Common Vulnerabilities and Exposures (CVEs) in older versions.

To measure the speed at which package updates are made in Wolfi — the time between an upstream release of a new version and the equivalent package release in Wolfi — we assembled a dataset of over 5,000 Wolfi package releases from July 2023 to February 2024. Analysis of this dataset showed us that:

  • Over 80% of Wolfi updates happen within 24 hours. And the majority of the updates that happen within 24 hours actually occur within 8 hours.

  • Over 90% of updates happen within 3 days.


  • The median time to update is 4 hours.


Time from upstream release to Wolfi package release for packages with an upstrem GitHub release based on versions in 24 hour increments.

Time from upstream release to Wolfi package release for packages with an upstream GitHub release based on versions in 1 hour increments up to 24 hours.

In short, Wolfi updates happen fast, ensuring that downstream consumers can pull the latest upstream releases without delay. This is great for users of Wolfi, but is also of critical importance to Chainguard Images customers who rely on our low-to-zero known CVE container images. Chainguard Images are our suite of minimal, hardened container images, built from Wolfi packages. The speed of Wolfi updates is a key factor in our ability to keep the CVE in our Images close to zero.

If you'd like to dive deeper into Wolfi packages, check out wolfi.dev. Our website contains more details on the secure container images we build from Wolfi.

You can get started pulling our Chainguard Developer Images for free today at images.chainguard.dev or reach out to our team to learn more about Chainguard Production Images.

Appendix: Where this data comes from

We started keeping data on Wolfi package updates back in July 2023. We use two sources to tell us when a project has a new update: release-monitoring.org and the GitHub GraphQL API. Unfortunately, the release-monitoring updates have much less metadata, so the package update database (and the data presented here) contains only GitHub data.

The graphs in the post were created by exporting the data to CSV format via BigQuery and processing via pandas and numpy before being turned into a graph with seaborn and matplotlib. We excluded values where the update happened sooner than the release, which can be caused by upstream projects redoing a release without updating the release version (note that Wolfi will handle this case by bumping the Wolfi revision number and releasing the new version, so users get the correct version and we can still identify the previous release).

The median time to update is just 4 hours, but the mean time is 88 hours (just over 3 days). Around 4.6% of packages take over a week to release and form a long-tail that pulls out the average value. Slower package updates are often caused by the upstream project making fundamental changes to their build system or the way they package software. Another possibility is that the upstream project has new package dependencies that are not yet available in Wolfi, and we first need to add those packages.


Time from upstream release to Wolfi package release for packages with an upstream GitHub release based on versions in 24 hour increments.

Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started