Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- EmeritOSS provides a new lease of life for three open-source projects.
- The tool adds a way to patch otherwise abandoned programs.
- More open-source projects will be added if there’s demand.
You may find it hard to believe, but there are critical open-source programs, such as Kubernetes’ Ingress-NGINX, that are dying for lack of support. Now, Chainguard, a cybersecurity company focused on securing the software supply chain, is stepping up with EmeritOSS to keep such programs alive. EmeritOSS is a stability-focused program that preserves and secures mature, popular, but unmaintained open-source projects, starting with Kaniko, Kubeapps, and Ingress-NGINX.
‘Sustainable stewardship’
Chainguard describes EmeritOSS as “sustainable stewardship for mature open source,” targeting widely used projects that have reached functional maturity but lost active maintainers or been archived. The goal is not to add new features, but to provide safe, predictable maintenance, so organizations can run critical workloads while planning migrations or adopting successor technologies.
Also: AI is already part of Linux’s plumbing – whether developers like it or not
EmeritOSS focuses on projects that remain deeply embedded in production environments, where sudden archival or abandonment can create security and operational risk. Chainguard positions the program as a model for long-term OSS sustainability, citing long-standing community concerns about what happens when key maintainers step away.
Also: This new Linux platform will let you update your next car at home – as soon as 2027
Under EmeritOSS, Chainguard offers several maintenance levels for select archived or unmaintained projects. This approach includes creating public, stability-focused forks, updating dependencies, and issuing new releases with vulnerability fixes. The company also documents support scope and service levels and, where appropriate, adds these projects to its hardened image catalog and Wolfi-based APK package repositories.
Continuity measures
The company emphasizes that these outputs are “not hostile forks,” but rather continuity measures that respect original maintainers while protecting downstream users. The forked code remains freely available in source form on GitHub, while organizations that want continuously maintained container images or packages can obtain them via Chainguard’s commercial distribution.
Chainguard started this program in June 2025, after Google archived Kaniko. This once-popular tool enabled developers to build container images from a Dockerfile within a container or a Kubernetes cluster. When Google shut it down, Chainguard customers told the company that the change caused them headaches. That issue prompted Chainguard to step in with a maintenance-only Kaniko fork that delivers Common Vulnerabilities and Exposures (CVE) fixes and dependency updates while teams transition.
Also: The fix for messy AI agent ecosystems might finally be here – and it’s open source
Chainguard has now added Kubeapps, which provides a graphical dashboard for deploying and managing applications on Kubernetes clusters, and Ingress-NGINX, which routes external HTTP and HTTPS traffic into services running inside a cluster, as EmeritOSS inductees. The company describes both as “beloved tools,” whose users require continued support.
Absorbs unnecessary risks
The company argues that without a predictable path for mature projects to move into safe, long-term stewardship, the ecosystem absorbs unnecessary risk, including unpatched vulnerabilities and fragile pipelines. EmeritOSS complements Chainguard’s existing work on secure base images, Wolfi, and security initiatives, such as Sigstore on-call rotations and funding for the GitHub Secure Open Source Fund.
Looking ahead, organizations relying on archived or unmaintained projects can submit them to Chainguard for consideration via an online form. Chainguard says it will continue to add inductees where there is clear, ongoing demand and where a stability-only model makes sense, stressing that its job is to keep these projects “safely in that state,” not to evolve them.
Unfortunately, evidence suggests there are many such programs. A recent open letter signed by 10 open-source foundations pointed out that “Most of these [open source] systems operate under a dangerously fragile premise: They are often maintained, operated, and funded in ways that rely on goodwill, rather than mechanisms that align responsibility with usage.”
Also: Why people keep flocking to Linux in 2025 (and it’s not just to escape Windows)
Today, the foundations continued, “a small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability.
Shared responsibility
As Chainguard co-founder and CEO, Dan Lorenc explained in a column in The New Stack:
We need a way for open-source maintainers to gracefully hand off “done” projects even when they no longer have a significant feature roadmap. We need to offer them a place where:
- Mature projects can transition from individual maintainers to a trusted organization accountable for long-term stewardship.
- CVEs get patched continuously, even without new feature work.
- Reproducibility and trust remain, without weekly commits.
This graduation should signal that the project is stable, valuable, and ready for a long life supported by shared responsibility.
Lorenc is right. We cannot continue to let vital projects flounder without long-term support. Chainguard is taking a step forward in ameliorating this persistent open-source problem with EmeritOSS.
Comments are closed, but trackbacks and pingbacks are open.