SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Aged open source repo in shielded server rack with locks gears
#
Virtualisation
#
DevOps
#
Application Security

Chainguard launches EmeritOSS to safeguard mature OSS

Mon, 12th Jan 2026
Author image
By Sofiah Nichole Salivio, News Editor

Chainguard has launched EmeritOSS, a maintenance programme for mature open source projects that no longer have active development teams but remain widely used.

The company said the initiative focuses on stability and security for projects that have reached a steady state and need ongoing upkeep rather than new features.

Mature projects

Open source software often depends on a small number of maintainers. Some projects reach a point where major new releases slow down, while the software continues to sit inside production systems. Organisations can still rely on these components for build pipelines, compliance requirements, or inherited dependencies.

Chainguard pointed to risks that emerge when maintainers step away without a structured transition. It referenced the xz-utils incident as an example of what can happen when a long-running project changes hands informally and a new contributor gains influence over time.

EmeritOSS targets what Chainguard described as unmaintained and archived projects. The company said the programme offers maintenance-only stewardship and it sets expectations about what it will and will not do.

Support model

Under the programme, Chainguard said it will create public forks of selected projects. It said the forks aim to preserve access to the codebase and keep continuity. The company said it will not position them as competitive alternatives.

Chainguard also said it will update dependencies and issue new releases that incorporate vulnerability fixes. It said it will publish documentation that sets out support scope and service levels.

The company said it may also build EmeritOSS projects from source and add them to its image catalogue when needed. It said it will provide updated APK packages where applicable.

Chainguard said it will not take on new feature development for EmeritOSS projects. It also said it will not proactively engage with community issues or pull requests for these forks.

Chainguard said the forked versions will remain freely available on GitHub in source form only. It said organisations that want a continuously maintained container image or APK can use a commercial distribution.

Early inductees

Chainguard named three initial projects in the programme: Kaniko, Kubeapps, and ingress-nginx.

Chainguard said it stepped in after Google archived Kaniko. The company said customers raised concerns about disruption to workflows. It said it provided maintenance-only support on its fork so teams could continue using the tool or plan a move away over time.

Chainguard said it has seen similar patterns with other archived or unmaintained projects. It cited compliance obligations, fragile pipelines, and deeply embedded dependencies as common reasons organisations keep using older components.

Chainguard said it is adding Kubeapps and ingress-nginx under EmeritOSS as projects whose maintainers have reached lifecycle transition points. It said it will keep them secure and operational for teams that still depend on them.

One early user pointed to the operational pressure created by a core component changing status.

“Having the possibility to get a supported ingress-nginx allows us to spend more time to evaluate the plan to move teams to another ingress controller or gateway api,” said Louis Gisarov, DevOps Manager, Rogers. “Chainguard's decision to take on the maintenance of ingress-nginx gives us confidence that we can continue to operate securely. It's great to see an organization step in to support critical OSS in a way that respects maintainers and protects users at the same time.”

Security focus

Chainguard positioned EmeritOSS as a response to supply chain risk in mature projects. The company said organisations face exposure when foundational components no longer have clear ownership and regular maintenance.

It also framed the programme as a way for maintainers to step away from long-running projects without leaving users with an abrupt cliff edge. Chainguard said the projects in scope do not need constant development. It said they do need predictable maintenance and vulnerability response.

Chainguard said it has already delivered CVE fixes, dependency updates, and maintained commercial images for its fork of Kaniko. The company said Kubeapps and ingress-nginx will receive the same maintenance approach.

Chainguard said it will consider additional archived or unmaintained projects for inclusion in the programme.

Related stories
SYTECH workshop sparks global interest in digital forensics
BT opens 2026 tech careers at flagship Salford hub
Record rise in digital squatting fuels phishing wave
Genetec report finds healthcare ramping up hybrid-cloud and AI security
Bitdefender warns OpenClaw AI skills rife with malware

Top stories

Why the all-AI social network looks more fad than legacy
Hexnode embeds upgraded Genie AI to run UEM actions
Safer Internet Day spotlights AI, trust & child safety
Finalists revealed for 2025 everywoman in Tech Awards
Ripjar appoints Matt Mills as Chief Executive Officer