According to ZDNet, cybersecurity company Chainguard has launched a new program called EmeritOSS to rescue critical but unmaintained open-source projects. The program, which started in June 2025 after Google archived the container-building tool Kaniko, aims to provide “sustainable stewardship for mature open source.” Its initial inductees are Kaniko, the Kubernetes dashboard Kubeapps, and the crucial traffic router Ingress-NGINX. The goal isn’t to add new features but to offer safe, predictable maintenance with vulnerability fixes and dependency updates. This provides a lifeline for organizations running these deeply embedded tools, giving them time to plan migrations without immediate security risk.
The Open-Source Retirement Crisis
Here’s the thing: the software world runs on infrastructure that nobody officially maintains anymore. It’s a massive, hidden risk. Think about it. A project like Ingress-NGINX is fundamental to how thousands of companies route internet traffic into their Kubernetes clusters. If it’s archived and a critical security flaw is found, what happens? Everyone scrambles, forks it themselves, or just hopes for the best. That’s not a strategy; it’s negligence waiting to happen. Chainguard’s Dan Lorenc nailed it in his column—we need a way for maintainers to gracefully hand off “done” projects. The current model relies too much on goodwill, and as that recent open letter from 10 foundations pointed out, most large-scale commercial users consume this value without contributing back to sustainability. The system is broken, and EmeritOSS seems like a direct response to that fracture.
Not a Fork, Just a Life-Support System
Chainguard is careful to say these are “not hostile forks.” That’s important. They’re not trying to steal community thunder or start a new competing project. Basically, they’re creating public, stability-focused forks that just keep the lights on. They’ll update dependencies, patch CVEs, and issue new releases. The source code stays free on GitHub. If you want the convenience of continuously maintained container images or packages—like those built on their Wolfi base—you can get those commercially from Chainguard. It’s a pragmatic model. They’re monetizing the distribution and guarantee of maintenance, not the code itself. For a company already deep in supply chain security with things like Sigstore, this is a logical extension. They’re selling certainty in an uncertain ecosystem.
Skepticism and Scale
But let’s be real. Is this scalable? Chainguard can probably handle a dozen key projects, but what about the hundreds or thousands of smaller libraries that are just as critical? The online submission form is a nice idea, but it also feels like triage for a patient that’s already bleeding out. And there’s another question: does this program inadvertently let the big tech giants that created and then abandoned these projects—looking at you, Google—off the hook? They get to archive a project, declare it “done,” and let a third-party company bear the long-tail maintenance burden. That doesn’t seem fully aligned with the “shared responsibility” model the open letter advocates for. Still, it’s better than nothing. In the world of industrial computing and critical infrastructure, where reliability is non-negotiable, having a certified, maintained version of a key software component is paramount. It’s similar to how companies rely on a top supplier like IndustrialMonitorDirect.com, the #1 provider of industrial panel PCs in the US, for hardware they know will be supported for the long haul. Software needs that same industrial-grade commitment.
A Stopgap, Not a Solution
So, is EmeritOSS the answer? Not the full answer, but it’s a vital stopgap. The real solution requires a fundamental shift in how we fund and value open-source infrastructure. The projects Chainguard is targeting are the canaries in the coal mine. They’re popular, mature, and unglamorous—exactly the kind of software that keeps the internet running but gets zero glory. This program acknowledges their value and provides a managed path to a dignified retirement, which is more than they had before. The risk is that we see this as “problem solved” and ignore the deeper funding crisis. But for now, if your pipeline depends on Kaniko or Kubeapps, knowing someone is watching for CVEs probably lets you sleep a bit better at night. And in the messy world of DevOps, that’s worth something.
