It's the the one-year anniversary of Wolfi, the first community Linux undistro focused on supply chain security. A lot has happened during that year. Let's find out what.
At IProgrammer we have extensively covered Wolfi and the distinct advantages it brings to the software supply chain; mainly minimalistic design, fast updates and fast CVE remediation, but there's more.
Wolfi is not a full Linux distribution designed to run on bare-metal, but a stripped-down one designed for the cloud-native era strengthened by the counter measures necessary for securing the software supply chain.
Using Wolfi, you can produce container images that meet the requirements of the secure software supply chain; that is, images already provided with signing and sensible defaults. Those defaults it enforces are:
build-time SBOM as standard for all packages
packages are designed to be granular and independent to support minimal images
uses the proven and reliable APK package format
enables fully declarative and reproducible build systems
supports glibc and musl
These defaults are meant to address the issues arising from running container images:
Container images tend to lag behind upstream updates, resulting in users running images with known vulnerabilities
The common distros used in container images also lag behind upstream versions, resulting in users installing packages manually or outside of package managers.
Container images typically contain more software than they need to, resulting in an unnecessarily increased attack surface.
Many container images have no provenance information making it difficult to verify where they came from or if someone has tampered with them.
They are typically not designed to meet compliance requirements or standards like SLSA
By tackling them, Wolfi gives developers the secure-by-default base they need to build great software.
After a year since it was intrudced, the project doesn't stay still but progresses towards becoming more mature. One such area it made strides was in the open source community who has really embraced it. There's been:
60 contributors to the project
More than 4, 400 PRs merged in the Wolfi repo
1, 300+ package configs in the Wolfi repo and 18, 000+ packages in the Wolfi index
Improved package update interval--the time between an upstream source code release and a new Wolfi package release--that can be measured in hours, not days. Among projects using GitHub releases, the Wolfi update interval is less than 24 hours 80 percent of the time. Saying that there's no "update" or "patch"-- there's just "roll out a whole new container
A major endorsement came from Sourcegraph which used the Wolfi toolchain to help solve their container challenges by patching vulnerabilities and tightening the supply chain dependency.
Then on a more technical level, several major milestones have been also met:
A helper project has been introduced in Wolfi-act, which leverages Wolfi packages to be used dynamically within GitHub Actions. Using wolfi-act, you can specify a comma-separated list of packages available in Wolfi that you wish to install into an ephemeral environment using the packages input and the command(S) input.
64-bit Arm support for all Wolfi packages. Especially important for squeezing performance out on the cloud as the major cloud providers including AWS, GCP and Azure make strong use of ARM chips.
Memory safety: The Rustls TLS library was introduced into Wolfi in partnership with the Internet Security Research Group (ISRG). This was an extremely important milestone because memory safety vulnerabilities are responsible for MANY critical, remotely exploitable, and in-the-wild attacks happening on software.
Fully Bootstrapping Go and Java from source: Today, Wolfi is one of the few distributions which has full provenance all the way back to a purely source-based build of Java and same for Go. In the future, full-source bootstrapping for Rust and other language ecosystems is going to be added too.
And finally, widespread support of scanning tools for vulnerability scans in Wolfi, including Docker Scout, Grype, Snyk, Trivy and Wiz. Prisma Cloud is coming soon.
That's all done. . But what does the future hold for this recently born project that has taken the Industry by storm? The quest towards becoming the most trusted distro for containerized workloads is ongoing. Its wide adoption would put the container based issues highlighted in the recent "SLSA++ A Survey of Software Supply Chain Security" to rest :
As far Container security goes, the respondents also expressed concerns about high false positive rates when scanning containers for known vulnerabilities. One respondent opined:
False positive rates are extremely high with the current tooling to the point that the cost per averted vulnerability is quite elevated.
Another offered their frustrating experience with large container base images:
Our docker images are not that slim, so there is [a] lot of noise from packages in base images, so most findings are not quickly acted on. This works better if docker images can be slimmed down.
There's a solution to both those problems. Adopt the Wolfi and never look back.
Developers are flocking to AI creating an explosion of generative AI activity in open source. The 11th annual Octoverse report, unveiled at last week's GitHub Universe event recorded 65K public g [ ... ]