Chainguard EmeritOSS: Sustainable Stewardship for Mature Open Source

Article illustration 1

For decades, the open source ecosystem has grappled with an invisible crisis: what happens when foundational projects mature beyond active development but remain critical infrastructure? Projects like Kaniko, Kubeapps, and ingress-nginx—once revolutionary—now sit in archived repositories while still underpinning countless production systems. This maintenance gap creates systemic vulnerabilities, exemplified by last year's near-catastrophic xz-utils incident where a maintainer transition nearly enabled a sophisticated backdoor.

"Without a structured transition model, organizations depending on mature projects are left vulnerable," explain Chainguard co-founders Dan Lorenc and Kim Lewandowski. "EmeritOSS provides a secure landing for essential OSS that doesn't need new features but requires ongoing care."

The program offers:

  1. Stability-Focused Forks: Public GitHub forks prioritizing security maintenance over new features
  2. Vulnerability Management: Dependency updates and CVE patches for archived projects
  3. Clear Lifecycle Documentation: Transparent support timelines for dependent teams
  4. Commercial Packaging: Container images and APK packages for enterprises needing verified builds

Crucially, EmeritOSS avoids feature development or community engagement—its sole mission is to maintain project integrity during sunset periods. When Google archived Kaniko in June 2025, Chainguard's interim maintenance allowed enterprises to safely migrate. Now Kubeapps and ingress-nginx join the program, receiving:

  • Dependency modernization
  • Critical vulnerability patching
  • Build reproducibility guarantees
  • Commercial SLAs for container distributions

"Chainguard's maintenance of ingress-nginx gives us confidence to operate securely while evaluating alternatives," notes an enterprise adopter. "It respects maintainers and protects users simultaneously."

This initiative reflects Chainguard's broader commitment to open source sustainability, extending beyond EmeritOSS to include Sigstore on-call rotations and funding for the GitHub Secure Open Source Fund. By creating predictable maintenance pathways for mature projects, EmeritOSS mitigates ecosystem-wide risks while acknowledging open source's natural lifecycle—proving that sometimes the most revolutionary innovation is simply keeping the lights on.

Source: Chainguard EmeritOSS Announcement