Chainguard Takes Over Maintenance of Aging OSS Projects

Chainguard today announced Chainguard EmeritOSS, its new model for supporting mature open source projects and long-term open source software (OSS) sustainability for the community. “We’re creating a stable and predictable home for projects that have reached this stage,” wrote Erin Glass, staff product manager, Dan Lorenc, CEO and co-founder, and Kim Lewandowski, CSO and co-founder, in a blog post. Mature OSS projects often remain embedded in production systems after maintainers move on. In an interview with The New Stack, Lorenc mentioned last year’s xz-utils incident — where a backdoor was nearly introduced after the 20-year maintainer wanted to retire — exemplifies the risks when there’s no safe transition path. “Last year’s xz-utils incident demonstrated how severe the consequences can be when there’s no clear path for maintainers to step away safely,” the Chainguard post reads. “When the original maintainer wanted to retire after 20 years of commitment to the project, a new contributor gradually gained trust and then nearly introduced a sophisticated backdoor that could have compromised countless systems across the industry.” Indeed, many open source projects fall into a gray area between active development and complete abandonment, Chainguard said. “They’re stable and widely used but still need minimal maintenance for security patches, dependency updates, and compiler upgrades. When maintainers move on, these projects can become security risks.” Kaniko Was First “In June 2025, when Google announced it was archiving the Kaniko project, some of our customers reached out to tell us how disruptive the change was to their workflows,” Chainguard said. “We stepped in with maintenance-only support on our fork of Kaniko to help them safely use or transition away from Kaniko.” Kaniko is part of the EmeritOSS program. I covered that news and wrote: “Kaniko, a tool that enables building Docker images inside Kubernetes clusters without privileged containers, has become foundational infrastructure for organizations across financial services, defense, and other regulated industries.” Today, Chainguard said, “With Kaniko, we’ve already delivered CVE [common vulnerabilities and exposures] fixes, dependency updates, and maintained images to keep customer workloads running safely during their migration period.” In addition, today Chainguard added two additional inductees into the EmeritOSS program: Kubeapps and ingress-nginx, two tools whose maintainers have reached natural life cycle transitions. As part of the program, Chainguard is enabling these projects to stay secure and operational for teams who depend on them. “Having the possibility to get a supported ingress-nginx allows us to spend more time to evaluate the plan to move teams to another ingress controller or gateway API,” said Louis Gisarov, DevOps manager at Rogers Communications, in a statement. “Chainguard’s decision to take on the maintenance of ingress-nginx gives us confidence that we can continue to operate securely. It’s great to see an organization step in to support critical OSS in a way that respects maintainers and protects users at the same time.” “Our forked, stability-focused versions will remain freely available on GitHub in source form only,” Chainguard said. “Organizations that prefer a secure, continuously maintained container image or APK can opt for our commercial distribution.” Chainguard EmeritOSS Team Chainguard has initially established a team of two to three people to work on the MeritOSS program, Lorenc said. “We’re experimenting now just to see how big we can scale this. Because the work is bursty. Some months, some quarters, some years, there might be zero work for any given project. Other times, it’s going to get busy,” he told The New Stack. “So, we kind of want to push the limits to see how many of these projects a small team can actually do this for and then figure out what it’ll look like as we start to scale it up.” Although the team is starting small to test the model before scaling, it is leveraging Chainguard’s existing automation infrastructure for vulnerability patching and using AI tools to scale support across potentially hundreds or thousands of projects, Lorenc said. Filling the Gap Without a structured transition model, organizations that depend on these mature projects are left vulnerable. EmeritOSS helps fill this gap. It provides a secure, stability-focused safe landing for essential open source projects that don’t need new features but do require ongoing care, Lorenc said. According to the blog post, Chainguard offers various levels of support depending on community expectations and the project’s life cycle, including: “Creating a public fork of the project to preserve ongoing access to the codebase. These are not hostile forks — our goal is continuity, not competition. “Updating dependencies to fix vulnerabilities and creating new releases with the updates. “Publishing clear documentation outlining support scope and service levels. “Building EmeritOSS projects from source and adding them to our image catalog when needed, along with updated APK packages where applicable.” Chainguard will not support new feature development or proactively engage with community issues or pull requests because these projects are mature and don’t require it. “Our job is to keep them safely in that state,” Lorenc said. However, “Our forked, stability-focused versions will remain freely available on GitHub in source form only. Organizations that prefer a secure, continuously maintained container image or APK can opt for our commercial distribution,” the Chainguard post said. “These are not hostile forks — our goal is continuity, not competition,” Lorenc said. Meanwhile, Lorenc summed up the goal of the EmeritOSS program: “There are two kinds of projects out there, ones where you care what version number you’re on, and ones where you don’t know what version number you’re on. And this is for the latter.” Chainguard frames this as part of their broader OSS commitment, citing their Sigstore on-call work and GitHub Secure Open Source Fund contributions. “I think over time, this is probably something some foundation should try to pick up, but we want to prove it works before we do something like that,” Lorenc said. “You know, we’re chatting with folks like the Linux Foundation and other groups to see if this makes sense long term.” The post Chainguard Takes Over Maintenance of Aging OSS Projects appeared first on The New Stack.