Wolfi from fortified Software Delivery Firm ChainguardIt is a new “un-distro” that improves the software supply chain for cloud computing. Can its innovative approach launch a new solution to fortify desktop distros too?
In September 2022 developers released Wolfi, the community Linux un-distro, designed for minimalism. Rapid updates and quick remediation of Common Vulnerabilities (CVE) are also included. Software vulnerabilities can make it easier to hack computer security, both in cloud deployments as well as on-premises.
CVE is a public database of security-related issues. CVE Numbering Authority, or CNA, assigns numbers that are unique to each intrusion point. Common identifiers help to make data sharing easier across multiple network security databases.
The Wolfi team hoped that the combination of features would allow them to provide a secure foundation for containers which hold applications in cloud storage. Chainguard’s community and maintainers have worked hard to make sure that developers are able to build secure software by using Wolfi.
Innovative Design for Cloud Native Applications
Wolfi is a new approach that focuses on the rapid adoption and deployment of cloud-native workloads. Wolfi prioritizes updating speed over stability as a key principle in its design.
Chainguard believes that distros are responsible for fast updates. Their developers think that users shouldn’t have to wait until a distro releases a fix.
Adrian Mouat of Chainguard, Staff DevRel Engineering, said that the idea of an “un-distro”, in the Linux world, refers specifically to a distribution lacking some features of more traditional Linux distributions. There is no Linux kernel.
The Linux distributions of today were designed to run earlier workloads. The shift from running on containers to balancing the new supply chain security risk has led to issues such as running known vulnerabilities. The only way to solve these problems is to build a distribution designed for container/cloud-native environments, and that is why we built Wolfi,” Mouat told LinuxInsider.
Images are more secure than versions
In order to achieve this, Wolfi uses a rolling release schedule and doesn’t have release versions. Instead, it has packages that receive rapid version updates. The company claims that this method ensures users of Wolfi can access packages without vulnerabilities as quickly as possible.
Wolfi, a Linux OS developed by the community for containerized and cloud-native environments, is designed to be a Linux OS that can grow with your needs. Chainguard launched the Wolfi Project to allow building Chainguard Images – its collection of “distroless images” that meet the needs of a secure supply chain.
There are other “distrosless” offerings. Google’s images that are distroless were built with Bazel based off the Debian distribution. Bazel is a free and open-source tool for building and testing software. It’s similar to Make, Maven and Gradle, but uses a high-level, human-readable build language.
Chainguard Images can be built using apko. This is a command line tool that lets users build container images in YAML declarative language. The name of the command-line tool is derived directly from the APK file format, and was inspired by ko’s build tool.
Distroless is a system that only contains the dependencies needed to run one application. Redis, for example, contains only the dependencies it requires to run Redis. Even the shell and package managers are missing.
Mouat explained that this is “in contrast to the traditional container images which often contain system utilities not necessary for running an application.”
Chainguard’s initial introduction of Wolfi was meant to be a project driven by the community that would gain recognition as the best distro for containerized applications, according the company. It hoped that software builders would use Wolfi in order to solve a variety of challenges.
A Distinction is a Difference
Wolfi is different from Chainguard Images. These are two different digital products, but are connected.
Wolfi is the open-source Linux distribution from the company. Chainguard Images is built using Wolfi packages. This provides significant benefits, such as quick updates, patching and more. Software Bill of Materials Mouat clarified that the SBOM is built at the time of construction.
Chainguard Images are a collection container images that have been designed to be minimalistic and secure. Most of them do not require distros. The company provides a mixture of distroless (or developer) images, which are minimalistic and include provenance certificates for added security.
John Speed Meyers is the head of Chainguard Labs. He views Wolfi as an assortment of packages or building blocks that developers can use in order to create software. He considers Chainguard Images to be containers that are built using packages from Wolfi.
“Because cloud computing has become so popular, containers made from Wolfi [like Chainguard Images] Containers are good for cloud computing in general, he said to LinuxInsider.
The way in which packages are managed is another important distinction. Wolfi is an evolving Linux distribution that does not use traditional version numbers. Mouat said that it is the same model used by the Alpine Linux edge branch for embedded systems and containers.
“Wolfi package are sourced directly from project releases, just like other distributions.” We just have more automation, so we can release releases faster. In the future, I expect to see other distributions speeding up their release cadence.
Why the Two ‘Almost Alikes’ Co-Exist
Chainguard created its own Linux distribution in order to create CVE containers with a low-to-zero-known CVE. Mouat says that developers need to control the speed at which they react to vulnerabilities by issuing security advisories and applying updates.
He said that the only way to achieve this was by creating our own Linux-based distribution, which is built for speed.
Wolfi, as Alpine, emphasizes rapid patches for CVEs. He explained that most popular containers contain too much software and are not updated often enough. They also include packages with CVEs.
Meyers also added that Wolfi provides other benefits to software supply chains, such as Software Bill of Materials, for packages and keys bootstrapped at source.
Wolfi’s uniqueness — separate from Chainguard Images — is improving the cloud’s software supply chain’s ruggedness, observed Ariadne Conill, co-founder and chief innovation officer at EderaA health care consultancy powered by technology.
He told LinuxInsider that Wolfi was unique because all the pieces needed to bootstrap an entire distribution were published along with instructions on how to use the bits to create your own independent builds.
Wolfi’s automation of package updates, which correlates automatically updated packages with information on vulnerabilities and fixes, is another advantage. Other distributions such as NixOS have implemented some of these features.
“But, as far as i know, Wolfi’s the only commercially-supported distribution that has a rolling release with heavy automation,” said he.
Distro for New Era
Mouat argues that most of the major Linux distros are from a previous era. Originally, they were designed to run on desktops at people’s desks or racks in server rooms.
“I was old enough to install Red Hat and Debian using CDs, and even floppy discs!” “They made the switch to VMs largely unharmed, but I think that they are beginning to creak in today’s container dominated landscape,” he joked.
Mouat says Wolfi demonstrates how rethinking Linux with a focus small, modular packages which are regularly updated can have benefits for organizations that run container workloads.
He concluded that the future of Linux distributions will be marked by more initiatives from the major distributions to incorporate some of these advantages.