From b706e6c2f2d2c8f2c4f02ed39e1333250e838636 Mon Sep 17 00:00:00 2001 From: s-stumbo Date: Mon, 4 May 2026 15:26:30 -0400 Subject: [PATCH 1/2] Add build criteria content for libraries Signed-off-by: s-stumbo --- content/chainguard/libraries/overview.md | 27 +++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/content/chainguard/libraries/overview.md b/content/chainguard/libraries/overview.md index 1b49b05ffc..91e5a9007b 100644 --- a/content/chainguard/libraries/overview.md +++ b/content/chainguard/libraries/overview.md @@ -99,7 +99,32 @@ Chainguard Libraries is available for the following library ecosystems: * Python and the larger ecosystem with [Chainguard Libraries for Python](/chainguard/libraries/python/overview/) -## Library version support +## Chainguard criteria for building a library + +Chainguard Libraries includes thousands of Java, JavaScript, and Python libraries, and coverage is continuously growing as we add more packages and versions over time. Chainguard aims to build libraries that are relevant to our customers and that support broader software supply chain security goals. However, it is not always feasible or safe to rebuild and redistribute every package from public registries such as Maven Central, npm, or PyPI. + +### Licensing and source availability + +Chainguard Libraries are rebuilt from upstream source code, not mirrored binaries from public registries. For a library to be in scope: + +* Source code must be available and verifiable + * The project’s source must be available in a source code manager (such as GitHub or GitLab). Packages that do not provide a valid or verifiable source URL cannot be rebuilt in the Chainguard Factory and are out of scope. +* Licensing must allow rebuild and redistribution + * The project must be licensed in a way that allows Chainguard to rebuild and redistribute it to customers. + +### Library version support + +Chainguard builds libraries using supported language toolchains in our hardened build environment. We do not aim to replicate all historical runtime environments exactly, but we do attempt to preserve runtime compatibility where it is safe to do so. For older or EOL projects, our ability to build and remediate issues is constrained by runtime compatibility and by upstream maintenance practices. + +Our current minimum supported toolchains are: + +* **Python**: Python 3.10 and higher. +* **Java**: Java 8 and higher. +* **JavaScript**: Any supported, non-EOL version of Node.js. + +These requirements don’t exclude older libraries; we still attempt to rebuild them using our supported toolchains. + +### EOL version support When a library version reaches end of life (EOL) upstream, Chainguard Libraries continues to build packages and provide security fixes for that version for six months beyond the upstream EOL date. From 20a2f1d05c087c56e314985e7cf5f3e8721118f9 Mon Sep 17 00:00:00 2001 From: s-stumbo Date: Tue, 5 May 2026 09:16:25 -0400 Subject: [PATCH 2/2] Apply feedback Signed-off-by: s-stumbo --- content/chainguard/libraries/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/chainguard/libraries/overview.md b/content/chainguard/libraries/overview.md index 91e5a9007b..357dc2510d 100644 --- a/content/chainguard/libraries/overview.md +++ b/content/chainguard/libraries/overview.md @@ -122,7 +122,7 @@ Our current minimum supported toolchains are: * **Java**: Java 8 and higher. * **JavaScript**: Any supported, non-EOL version of Node.js. -These requirements don’t exclude older libraries; we still attempt to rebuild them using our supported toolchains. +We will attempt to rebuild any libraries that meet the [licensing and source availability criteria](#licensing-and-source-availability) using the supported toolchains. ### EOL version support