The Distroless Revolution Will Be Chainguarded

This is the final entry in a three part series exploring open source software delivery — the recent past, the inflection point of the present, and the future.

In the first post, we dove into the foundations that created and defined UNIX and Linux operating system distributions and the challenges posed by the traditional distribution status quo. In the second, we talked about the innovations and use cases that make right now a distroless tipping point.

Today we’ll talk about what the future looks like, and why it starts now.

We’ve outlined the challenges with traditional “frozen-in-time” Linux distros, and the innovations and use cases that have driven modern, cloud-native containerized application development and delivery. It’s worth noting that without traditional distros the iterative progress that brought us to this moment wouldn’t have happened, however we have reached a point where the security, performance, and innovation drawbacks outweigh the familiarity and perceived stability of the last generation of software delivery.

So what should the next generation of open source software delivery look like?

To meet modern security, performance, and productivity expectations, software builders need the latest software in the smallest form designed for their use case, without any of the CVEs that lead to risk for the business (and a list of “fix its” from the security teams). Making good on those parameters requires more than just making over the past. Instead, the next generation of open source software delivery needs to start from the source of secure, updated software: the upstream maintainers.

By moving beyond the downstream distros, it’s possible to leverage the most up-to-date software packages, which benefit from the latest security fixes and performance updates without relying on downstream maintainers. Similarly, going beyond the traditional distros makes it possible to leverage purpose-built container images at the start, rather than relying on your own downstream customizations of often-bloated general purpose distros.

Meet Chainguard OS

Chainguard has built this new distroless approach, continuously rebuilding software packages based not on downstream distros, but on the upstream sources that are removing vulnerabilities and adding performance improvements. We call it Chainguard OS.

Chainguard OS serves as the foundation for the broad security, efficiency, and productivity outcomes that Chainguard products deliver today, “Chainguarding” a rapidly growing catalog of over 1,000 container images.

Chainguard OS adheres to four key principles to make that possible:

1. Continuous Integration and Delivery: Emphasizes the continuous integration, testing, and release of upstream software packages, ensuring a streamlined and efficient development pipeline through automation.

2. Nano Updates and Rebuilds: Favors non-stop incremental updates and rebuilds over major release upgrades, ensuring smoother transitions and minimizing disruptive changes.

3. Minimal, Hardened, Immutable Artifacts: Strips away unnecessary vendor bloat from software artifacts, making sidecar packages and extras optional to the user while enhancing security through hardening measures.

4. Delta Minimization: Keeps deviations from upstream to a minimum, incorporating extra patches only when essential and only for as long as necessary until a new release is cut from upstream.

Perhaps the best way to highlight the value of Chainguard OS’s principles is to see the impact in Chainguard Images.

In the below screenshot (and viewable here), you can see a side-by-side comparison between an external <python:latest> and <cgr.dev/chainguard/python:latest> Chainguard Image.

Aside from the very clear discrepancy in the vulnerability count, it’s worth examining the size difference between the two container images. The Chainguard image comprises just 6% of the open source alternative image.

Along with the minimized image size, the Chainguard image was last updated just an hour prior the screengrab, something that happens daily:

A quick scan of the provenance and SBOM data illustrates the end-to-end integrity and immutability of the artifacts — a kind of complete nutrition label that underscores the security and transparency that a modern approach to open source software delivery can provide.

Each Chainguard image stands as a practical example of the value Chainguard OS provides, offering a stark alternative from what has come before it. Perhaps the greatest indicator is the feedback we’ve received from customers, who have shared how Chainguard’s container images have helped eliminate CVEs, secure their supply chains, achieve and maintain compliance, and reduce developer toil, enabling them to re-allocate precious developer resources.

Our belief is that Chainguard OS’s principles and approach can be applied to a variety of use cases, extending the benefits of continuously rebuilt-from-source software packages to even more of the open source ecosystem.

If you found this useful, be sure to check out our whitepaper on this subject, and the broader method we’ve taken to solving this problem for organizations. And check out our upcoming webinar on April 9, where we'll dive deeper into the subject.