Apr 3, 2025

A secure container company listens to several top Linux maintainers on how to build the most secure Linux distro possible. Roland W. Kunz/Getty Images LONDON -- When I met up with my open-source buddy Dustin Kirkland, VP of engineering at Chainguard, at KubeCon Europe, he said he had me to thank for his company's new Linux distribution, Chainguard OS . Why? In my May 2024 story about kernel security, I'd said all distros had been doing Linux security wrong . (That was the conclusion of a  CIQ study, Linux stable kernel maintainer Greg Kroah-Hartman, and top Linux developer Kees Cook.) "A light bulb went off," Kirkland told me, "and I realized, holy cow, this is the piece that I was missing, as we've built our product around hardened containers, not virtual machines, not a full distro." Earlier, the Kirkland, Wash.-based secure container company had released Wolfi, an "undistribution" with all the software you need for a container except Linux. Lately, though, Chainguard had considered building its own secure enterprise Linux. But, Kirkland said, that would take a lot of work and a dozen or so Linux kernel developers. However, using the approach I described in the story, they could build an even more secure distribution for far less work and money. How? As Kroah-Hartman explained, you should always use the latest long-term stable kernel (LTS). The key word here is "latest." It's not enough to use an LTS . You must use the most up-to-date release to be as secure as possible. Cook added, "The answer is simple, if painful: Continuously update to the latest kernel release , either major or stable." Kroah-Hartman has often said, "Any bug has the potential of being a security issue at the kernel level." Jonathan Corbet, Linux kernel developer and LWN editor-in-chief, added: "In the kernel, just about any bug, if you're clever enough, can be exploitable to compromise the system . The kernel is in a unique spot in the system ... it turns a lot of ordinary bugs into vulnerabilities." Now that Linux is in charge of issuing all its own CVEs , the latest version of the LTS kernel gets the fixes for all known bugs as soon as they become available. Thus, by tracking the LTS kernel tree and issuing a rolling Linux release immediately, you can be certain that your Chainguard OS is as secure as humanly possible. In addition, Chainguard OS uses Chainguard's automated build system, the Chainguard Factory , to eliminate unnecessary software bloat and reduce the potential attack surface. This design ensures the operating system contains fewer dependencies, lowering the likelihood of security holes. The OS is also designed with a zero-trust, immutable infrastructure . This approach enhances security by ensuring that every component is verified and trusted, minimizing the risk of supply chain attacks. Thus, when a new patch comes out, you don't patch your operating system at all. Instead, you replace it lock, stock, and barrel with a new, totally secure model. Chainguard OS is also continually verified to ensure it remains free from vulnerabilities. This ongoing verification process helps maintain a secure software development and deployment environment. For example, if new security holes are found in, say, Python but not in Linux, the entire operating system, Python, and other software programs are pulled as a single package and replaced. Chainguard OS is part of a broader strategy by Chainguard to secure the software supply chain. The company has already made significant strides with its container images and libraries, which are designed to eliminate vulnerabilities and provide a secure foundation for developers. By extending this approach to the operating system level, Chainguard empowers developers to focus on building secure software without the burden of patching legacy vulnerabilities. Why isn't everyone doing this? If you depend upon a particular version of Linux for your company, which many businesses do, you don't want the foundations of your operating system to change constantly. That's why even long out-of-date Linux distros such as CentOS still have users. They rely on TuxCare Endless Life Cycle , OpenLogic CentOS End of Life Support , or SUSE Multi-Linux Support , formerly Liberty Linux, for support. But if security is the top priority for your company's Linux workloads,  you'll want to use Chainguard images , which are built on top of Chainguard OS. Chainguard OS is not available as a standalone distro; that's not Chainguard's market. However, if you ask them nicely, maybe they'll consider it. In the meantime, if you run most of your work in the cloud, check out their container images, language libraries , and virtual machines (VMs) . You'll be glad you did. Stay ahead of security news with Tech Today , delivered to your inbox every morning. Security