Wolfi, from fortified software delivery firm Chainguard, is a young Linux “un-distro,” that is improving the cloud’s software supply chain. Can its innovative design launch a new solution for fortifying desktop distros, too?
In September 2022, developers announced Wolfi, the first community Linux un-distro designed for minimalism, rapid updates, and speedy remediation of Common Vulnerabilities and Exposures (CVE). Software code vulnerabilities make it easier for hackers to wreak havoc on computer security in cloud deployments and on-premises environments.
CVE is a database of publicly disclosed information security issues. The CVE Numbering Authority (CNA) assigns unique numbers to identify the intrusion points. Its common identifiers make it easier to share data across separate network security databases and tools to provide a baseline for evaluating the coverage of an organization’s security tools.
Wolfi developers hoped the combination of characteristics would help them provide a secure base layer for containers that hold applications within cloud storage. Since Wolfi’s release, Chainguard’s maintainers and community contributors have been determined to help developers address software supply chain security challenges by building more secure software from the start.
Innovative Design for Cloud-Native Workloads
Wolfi takes a novel approach focused on the rapid adoption of containerized and cloud-native workloads. One important principle for Wolfi’s design is prioritizing update speed over stability.
Chainguard sees fast updates as a distro’s responsibility. Its developers believe that users should never have to wait for a distro to release a fix.
The notion of an un-distro in the Linux world refers to its lack of some of the features of other full, traditional Linux distributions, according to Chainguard Staff DevRel Engineer Adrian Mouat. Most notably, there is no Linux kernel.
“Most of today’s workloads run on containers, and existing Linux distros were designed for an earlier era. This shift to running containers and balancing new supply chain security risks have led to issues like running known vulnerabilities. The only way to solve these problems is to build a distribution designed for container/cloud-native environments, and that is why we built Wolfi,” Mouat told LinuxInsider.
Better Security From Images, Not Versions
To achieve this, Wolfi applies a rolling release cadence and does not have release versions, only packages that rapidly receive version updates. According to the company, this approach ensures that Wolfi users can use vulnerability-free packages as soon as possible.
Wolfi is a community Linux OS designed for the container and cloud-native era. Chainguard started the Wolfi project to enable building Chainguard Images, its collection of curated “distroless” images that meet the requirements of a secure software supply chain.
Sure, other so-called distroless offerings exist. For instance, Google’s distroless images are built with Bazel and based on the Debian distribution. Bazel is an open-source build and test tool similar to Make, Maven, and Gradle that uses a human-readable, high-level build language.
Chainguard Images are built with apko, a command-line tool that allows users to build container images using a declarative language written in YAML. The apko name is derived from the APK package format and is inspired by the ko build tool.
Distroless means the system contains only the dependencies required to run a single application. For example, the Redis container contains only what it needs to run Redis. It even lacks the shell and package manager.
“This is in contrast to traditional container images, which often contain various system utilities not required for running the application,” added Mouat.
When Chainguard first introduced Wolfi, it was intended to be a community-driven project that would achieve recognition as the most trusted distro for containerized workloads, according to the company. It hoped other software builders would use Wolfi to solve many challenges.
Difference With a Distinction
Wolfi differs from Chainguard Images. They are not the same digital things, but they are closely connected.
Wolfi is the name of the company’s open-source Linux un-distribution. Chainguard Images are built from Wolfi packages and power significant benefits like rapid updates, patching, and Software Bill of Materials (SBOM) at build time, Mouat clarified.
Chainguard Images is a collection of container images designed for security and minimalism. Many of them are distroless. The company offers a mix of distroless and development (or builder) images that are minimalist and include provenance attestations for increased security.
John Speed Meyers, head of the company’s Chainguard Labs, thinks of Wolfi as a set of building blocks or packages developers can use to build software. He views Chainguard Images as containers built from packages in Wolfi for container-related tasks.
“Because containers have become so popular for cloud computing, containers built from Wolfi [like Chainguard Images] are also good for mainstream cloud computing, at least where containers are involved,” he told LinuxInsider.
Another close distinction is how package management is handled. Wolfi is a rolling-release Linux distribution without traditional release version numbering. It is effectively the same model as the edge branch in Alpine Linux used in embedded systems and containers, Mouat offered.
“Wolfi packages are sourced from official project releases in the same way as other distributions. It’s just that we have more automation and can get releases out faster. I expect in the future we will see other distributions also speed up the cadence at which they release new versions of software,” he said.
Why the Two ‘Almost Alikes’ Co-Exist
Chainguard set out to create its own Linux distribution to build its low-to-zero known CVE container images. According to Mouat, the developers must control how quickly they can apply updates in reaction to vulnerabilities and issue security advisories.
“The only way to do that was by building our own Linux distribution built for speed,” he noted.
Wolfi, like Alpine, emphasizes rapid patching of CVEs. Most popular containers are bloated with too much software, are updated too infrequently, and are filled with packages with CVEs, he explained.
Wolfi also offers other software supply chain security benefits, like Software Bill of Materials for packages and key packages bootstrapped from source, added Meyers.
Wolfi’s uniqueness — separate from Chainguard Images — is improving the cloud’s software supply chain’s ruggedness, observed Ariadne Conill, co-founder and chief innovation officer at Edera, a container security company.
“Wolfi is fairly unique in that all of the bits needed to bootstrap the entire distribution have been published alongside instructions on how to use them to build your own independent builds of the Wolfi package set,” she told LinuxInsider.
Another advantage to Wolfi is the automation that drives the package updates and correlates automated package updates to vulnerability-fix information. Other distributions, like NixOS, have built their own implementations of some of these capabilities.
“But as far as I know, Wolfi is the only commercially supported distribution with a rolling release model with heavy automation,” he noted.
Distro for a New Era
Most of the major Linux distributions today were originally designed for a bygone era, suggested Mouat. They were first designed to run directly on desktops on people’s desks and racks in the server room.
“I’m old enough to remember installing Red Hat and Debian from CDs and even floppy disks! They then made the transition to VMs largely unscathed, but in today’s container-dominated landscape, I think they are starting to creak,” he quipped.
Wolfi shows how rethinking the Linux distribution with a focus on small, modular packages that are frequently updated has benefits for organizations running container workloads, Mouat said.
“I think we will see more and more initiatives by the major distributions that try to bring some of these benefits to their offerings,” he concluded about the future of Linux distros.