If you are one of those who works a lot with containers, I can recommend reading the following article where we will talk about Wolfi OS, which is a new community Linux distribution that combines the best aspects of the existing container base images with default security measures that They will include Sigstore-powered software signatures, provenance, and software BOMs.
Wolfi OS is a stripped-down distribution designed for the cloud-native era. It doesn't have a kernel of its own, but rather depends on the environment (such as the container runtime) to provide one. This separation of concerns in Wolfi means that it is adaptable to a variety of settings.
About Wolfi OS
In its repository on GitHub we can find that:
Chainguard started the Wolfi project to enable the creation of Chainguard Images, our collection of curated distribution-free images that meet the requirements of a secure software supply chain. This required a Linux distribution with components at the proper granularity and with support for both glibc and musl , something not yet available in the cloud-native Linux ecosystem.
It is also mentioned that Wolfi, whose name was inspired by the smallest octopus in the world, has some key features What sets it apart from other distros that focus on cloud-native/container environments:
- Provides a high-quality compile-time SBOM as standard for all packages
- Packages are designed to be granular and self-contained, to support minimal images
- Uses the tried and trusted apk package format
- Fully declarative and reproducible build system
- Designed to support glibc and musl
It is worth mentioning that Wolfi OS is a Linux distribution designed right from the start, that is, it is not based on any other existing distribution and is intended to support newer computing paradigms, such as containers.
Although Wolfi has some similar design principles to Alpine (such as using apk), is a different distro that focuses on supply chain security. Unlike Alpine, Wolfi currently doesn't build its own Linux kernel, but instead relies on the host environment (for example, a container runtime) to provide one.
And it is that for the creator of Wolfi the security of the software supply chain is unique, since he mentions that it has many different types of attacks that can target many different points in the software life cycle. He can't just take a piece of security software, turn it on, and protect himself from everything.
“We refer to Wolfi as an undistro because it is not a full Linux distribution designed to run on bare-metal, but rather a stripped-down distribution designed for the cloud-native era. Most notably, we didn't include a Linux kernel, but instead relied on the environment (such as the container runtime) to provide it,” said Dan Lorenc, CEO of Chainguard.
“In addition, Linux distributions themselves typically only release stable versions of software for long periods of time, while developers who install software are (again) doing manual installs to get the latest, or most recent versions. patched. As a result, there is a huge disconnect between what scanners can detect via software supply chain security CVEs and what actually exists in the typical environment.
Wolfi takes constantly updated images of base containers that target zero known vulnerabilities, To eliminate this delay between common distributions and container images, and users running images with known vulnerabilities. wolfi close this gap making sure the container images have provenance information (where the images come from and making sure they don't get tampered with) and makes SBOM generation something that can happen during the build process, and not at the end.
finally if you are interested in knowing more about it about this new release, you can check the details in the following link.