Clarification on packages moved to enterprise packages and future OSS availability

[sfinke0]

Hi Wolfi maintainers,

I'm opening this discussion to better understand the recent package removals/moves from wolfi-dev/os into enterprise packages.

In particular, commit 50df2ec / PR #112221 appears to have moved some packages to enterprise-packages, deleting public package definitions such as:

pulumi.yaml
prometheus-3.12.yaml
grafana-13.0.yaml
and several others

I'm using Wolfi to build minimal, low-CVE containers, and I've been relying on the public Wolfi package repository as part of that workflow. Having packages disappear from the public repository without a clear heads-up or migration path feels like being rug-pulled, to be honest. I'm genuinely sad about this because Wolfi has been a very useful OSS building block for producing secure containers.

I understand that maintainers have to make trade-offs around support burden, priorities, CVE SLAs, and commercial offerings. I'm not asking anyone to maintain an unlimited package set for free. But from an OSS user's perspective, it is difficult to plan around Wolfi if packages can move from the public repo to enterprise-only availability without advance notice, deprecation windows, or a published policy.

Could you please clarify:

• What criteria determine whether a package remains in the public Wolfi repository vs. being moved to enterprise packages?
• Are packages like Prometheus-related components, Grafana-related components, Pulumi, etc. expected to remain unavailable publicly going forward?
• Is there any plan to provide these packages as OSS again in the future?
• Will there be advance notice, a deprecation policy, or a public tracking issue/discussion before public packages are removed or moved to enterprise-only repositories?
• Is the recommended path for community users now to fork the last public recipes and maintain them independently, or is there still an intended community contribution path for keeping these packages available in Wolfi?

I'd really appreciate a clear answer here. I want to keep using and recommending Wolfi, but I need to understand whether the public repository is still intended to be a reliable base for container builds, especially for common infrastructure packages.

Thanks for all the work you’ve put into Wolfi so far.

Cheers
Basti 💕

[vaskozl]

This is a list of other packages that I relied on (at the homelab) that silently went out of date/vulnerable:

  - chromium — migrated out of public wolfi-os (move-batch-001)
  - flannel — migrated out of public wolfi-os (move-batch-003)
  - buildkitd — migrated out of public wolfi-os (move-batch-007)
  - cloudflared — migrated out of public wolfi-os (move-batch-009)
  - coredns — migrated out of public wolfi-os (move-batch-010)
  - code-server — migrated out of public wolfi-os (move-batch-010)
  - fluent-bit — migrated out of public wolfi-os (move-batch-015)
  - grafana — migrated out of public wolfi-os (move-batch-018)
  - haproxy — migrated out of public wolfi-os (move-batch-018)
  - k8s-sidecar — migrated out of public wolfi-os (move-batch-020)
  - mariadb — migrated out of public wolfi-os (move-batch-026)
  - oauth2-proxy — migrated out of public wolfi-os (move-batch-029)
  - nfs-subdir-external-provisioner — migrated out of public wolfi-os (move-batch-029)
  - prometheus-alertmanager — migrated out of public wolfi-os (move-batch-032)
  - renovate — migrated out of public wolfi-os (move-batch-034)
  - prometheus-node-exporter — purged 2025-02 (#41428, "not needed for public images")
  - redis — dropped 2024-09 after Redis relicensing; replaced by valkey

[xnox]

Hi @sfinke0 @vaskozl,

All the packages mentioned in both of your messages continue to be provided and supported by Chainguard.

If you urgently require access to these packages the quickest way to restore access to them for you is to find the relevant Chainguard Image for these projects and click "request trial" - for example for pulumi click "request trial" on https://images.chainguard.dev/directory/image/pulumi/versions. You can also use the search bar on the top right on that page to find other images and request access. As part of the Chainguard Registry - access is granted to both the prebuilt container images as well as authenticated private packages feed to access the .apk files directly.

@vaskozl about redis - it is still available, but due to licensing change we moved it to extra-packages which is a public repository but separated from wolfi precisely because of the additional licensing restrictions imposed on the users. To access redis you can add chainguard-keys package and fetch redis from the extras repositories. Or indeed use valkey which has the older licensing.

$ docker run -it --entrypoint sh cgr.dev/chainguard/wolfi-base
/ # apk add chainguard-keys
fetch https://apk.cgr.dev/chainguard/x86_64/APKINDEX.tar.gz
(1/1) Installing chainguard-keys (2-r8)
OK: 15 MiB in 16 packages
/ # apk add -X https://apk.cgr.dev/extra-packages redis
fetch https://apk.cgr.dev/extra-packages/x86_64/APKINDEX.tar.gz
(1/3) Installing posix-libc-utils-bin (2.43-r8)
(2/3) Installing libstdc++ (16.1.0-r2)
(3/3) Installing redis-8.6 (8.6.4-r1)
Executing busybox-1.37.0-r60.trigger
OK: 48 MiB in 19 packages

The retention policy on apk builds was announced in the Github discussions, please see the below announcements for details:

• https://github.com/orgs/wolfi-dev/discussions/63023
• https://github.com/orgs/wolfi-dev/discussions/78666
• https://github.com/orgs/wolfi-dev/discussions/78705

If you have any further questions or need additional help, please reach out directly to me on dimitri.ledkov@chainguard.dev.