Merge pull request #1422 from SharpRake/prl-update

adding blurb about Wolfi Packages to Product Release Lifecycle doc
chainguard-dev · Mar 7, 2024 · cc4a806 · cc4a806
2 parents e19ff50 + 6e9e707
commit cc4a806
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/content/chainguard/chainguard-images/fips-images.md b/content/chainguard/chainguard-images/fips-images.md
@@ -32,11 +32,10 @@ Because standard OpenSSL is not validated for FIPS, the OpenSSL FIPS module was
 
 Chainguard submitted a request for [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/projects/cryptographic-module-validation-program) validation for our redistribution of OpenSSL’s FIPS provider module to NIST.  This submission to the CMVP allows Chainguard to redistribute a FIPS-validated module in Wolfi and Chainguard Images. As of this writing, this redistribution is derived from the OpenSSL 3.0.9 FIPS module sources.
 
-By including this redistribution of the OpenSSL FIPS module, Chainguard is able to provide Images that use FIPS-validated cryptography until the official certificate comes through. You can find the submission status on [NIST’s Modules in Process list](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List). We also run tests on each of our FIPS Images to ensure the given application is configured with FIPS-validated cryptography end-to-end.
+By including this redistribution of the OpenSSL FIPS module, Chainguard is able to provide Images that use FIPS-validated cryptography until the official certificate comes through. You can find the submission status on [NIST’s Modules in Process list](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List). We also run tests on each of our FIPS Images to ensure the given application is configured with FIPS-validated cryptography end-to-end. Note that Chainguard's FIPS Images use these modules by default, so there aren't any build flags users need to enable to apply this feature.
 
 Additionally, Chainguard is already prepared for the migration to FIPS 140-3 in the near future because we provide the OpenSSL 3.1 module required for certification. It is expected that the certification process for this module will begin in 2024.
 
-
 ### Regarding Java-based FIPS Images
 As mentioned previously, Chainguard provides several FIPS-ready Images that are based on Java. However, this presents some challenges because Java applications generally don't leverage OpenSSL for cryptography and there isn't another cryptographic library serving as a widely-used standard for Java applications. For these reasons, Chainguard's Java-based Images instead ship with the [FIPS variant of the Bouncy Castle Crypto package](https://www.bouncycastle.org/fips_faq.html), a Java implementation of cryptographic algorithms. 
 

diff --git a/content/chainguard/chainguard-images/versions.md b/content/chainguard/chainguard-images/versions.md
@@ -4,7 +4,7 @@ linktitle: "Product Release Lifecycle"
 type: "article"
 description: "Understanding Chainguard's Approach to Image Versions"
 date: 2024-01-08T08:49:31+00:00
-lastmod: 2024-01-09T08:49:31+00:00
+lastmod: 2024-03-06T08:49:31+00:00
 draft: false
 tags: ["Chainguard Images", "Product"]
 images: []
@@ -73,6 +73,14 @@ For single release track software projects, Chainguard will maintain only the `:
 
 Actively maintained Chainguard Images are rebuilt on a daily cadence, so you can be sure the Image you are using is up to date.
 
+## Wolfi Packages in Chainguard Images
+
+Chainguard Images only contain packages that are either built and maintained internally by Chainguard or packages from the [Wolfi Project](https://github.com/wolfi-dev). These packages follow the same conventions of minimalism and rapid updates as Chainguard Images. 
+
+Starting in March of 2024, Chainguard will maintain one version of each Wolfi package at a time. These will track the latest version of the upstream software in the package. Chainguard will end patch support for previous versions of packages in Wolfi. Existing packages will not be removed from Wolfi and you may continue to use them, but be aware that older packages will no longer be updated and will accrue vulnerabilities over time. The tools we use to build packages and images remain freely available and open source in Wolfi.
+
+This change ensures that Chainguard can provide the most up-to-date patches to all packages for our Images customers. Note that specific package versions can be made available in Production Images. If you have a request for a specific package version, please [contact support](https://support.chainguard.dev/hc/en-us).
+
 ## SLAs
 
 A vulnerability and patch service-level agreement (SLA) is available for Chainguard Production Images. If you are currently using Chainguard Developer Images, there are no SLAs available, but you will have access to frequently updated and patched Images with low-to-zero CVEs.