How long do packages stay in the index?

[Schmitze333]

We are close to build our base images for our production workloads based on wolfi-os.
The main used programming language throughout the company is Ruby, and hence we as platform team have to provide base images for a couple of Ruby versions.

I see quite a lot versions of Ruby APKs in wolfi-os' package index. However, I wonder how long a version of a package will stay in the index. Are at some point in time packages removed or do the stay in the index like forever?

Thank you in advance! KR

[xnox]

Hi,

Some of these questions are answered here:

• https://edu.chainguard.dev/chainguard/chainguard-images/faq/#which-images-are-available
• https://edu.chainguard.dev/chainguard/chainguard-images/faq/#what-options-do-i-have-to-use-chainguard-images

In general, wolfi typically has latest versions of things; and minor/micro/lts versions might be in paid images only.

To enable rebuilding Chainguard Images reproducibly, the .apk's are immutable and remain published as long as possible - without any sort of guarantees or SLA for the community use and can be left unmaintained (i.e. ancient packages may need other old packages to install/run).

We do withdraw/unpublish them from time to time (see withdrawn packages log in the apk repo) - generally when published apk is harmful, dangerous, or broken beyond repair, or affects installing up to date versions. (i.e. sometimes old .apk has incorrect depends/provides declared preventing installing up to date packages).

For production use, with access to SLAs / support / private-registry / guaranteed access to minor.micro versions, typically production grade Chainguard Images are recommended to deploy directly, or to use as part of internal golden image building pipeline. Contact Chainguard sales for more at https://www.chainguard.dev/contact to discuss current needs and/or revisit in the future.

Regards,
Dimitri.

[Schmitze333]

Thank you Dimitri!

That helps us in taking a decision here.

KR,

Marc