It’s been a big year for Bitnami. In addition to turning 18 this spring, the open source catalog has been streamlined and a new commercial offering was launched. As expected, some confusion arose among all the action, and many competitors used that as an opportunity to foment fear, uncertainty, and doubt. Here, we outline the reality so that Bitnami users and customers can better understand what’s really going on with their favorite (and only) open source catalog and its related commercial offerings!
Bitnami is Open Source
To misquote Mark Twain: Rumors of my demise are greatly exaggerated! Contrary to some headlines, Bitnami is still open source and freely available and it’s no secret that many commercial vendors use Bitnami’s open source for their own offerings. The Bitnami engineering team developed more than 110 best-in-class Helm charts throughout its 18-year history. All the source code for Debian-based container images and Helm charts are still available on GitHub. Users can still build images and charts from that source code.
Bitnami’s Docker Hub Registry is still available
While the number of pre-built OCI images the Broadcom team maintains on Docker Hub has been reduced, we introduced 40 new hardened images that were never before available to the community. Where the community was consuming more than 100 CVEs on average they are now seeing near zero as a result of this change.
Legacy Debian images have been replaced with some of our new hardened and secure images based on PhotonOS. For example: The Bitnami MariaDB listing on Docker Hub now provides the latest hardened version and is still receiving patch updates. If you go to our public catalog interface, you can check out the security metadata (SBOM, VEX, etc.), which were previously unavailable to the community.
The PhotonOS images are drop-in replacements for the Debian images, and are tested for compatibility with the same Helm charts. This means users can instantly supercharge their security posture and cut down the number of CVEs without having to retool CI/CD or deployment processes for a new Helm chart. It’s that easy.
There are about 40 of these new hardened images available for developers (Note: that these are overwritten every time there is an update and we only support the latest, so although they are freely available on Docker Hub, it’s probably not a good idea to use them in production). For enterprise users who want more than 40 images, the commercial subscription provides access to more than 280 apps in the same hardened form factor.
Bitnami’s Helm charts are unmatched
It’s required many years for Bitnami to become a leader in authoring 1st party helm charts. Which makes the overnight availability of replacement Bitnami Helm charts suspicious – the fact is that those replacement charts are actually Bitnami under the hood. It takes time and expertise to build, from scratch, more than 110 helm charts, with security by design and continual testing on multiple kubernetes flavors.
Over the years Bitnami has received countless Github issues and PRs which continually improve the charts to make them what they are today. That’s why some vendors have no choice but to admit they “soft forked” Bitnami (which means Bitnami must be free, otherwise how would they copy them?). The real myth is that other vendors can provide the same production grade support as Bitnami.
All patches are not equal
The power of Bitnami’s automation capabilities truly shines when it comes to releasing patches quickly—often within a few hours of a fix being available. Here is an example of the Bitnami team’s response to a Python CVE from this summer. When Bitnami detects new versions, it triggers the build and verification, managing Helm charts and images and all their dependencies to make sure everything is working as it should. We never fork upstream, so you only get authentic builds that have been properly vetted by the project maintainers.
For example, releasing modified code (e.g. replacing JAR files) before an official patch is released has become a popular shortcut to a fix for a reported CVE. This might get the job done faster, but it sacrifices quality and durability. Patching a project outside of the prescribed pathway for submitting fixes creates a fork of the codebase and bypasses the controls, peer review, and overall best practices of an open source project.
Because Bitnami builds from source code, using official releases, the dependencies don’t change, allowing for operational uniformity. For those CVEs that are not addressed by the upstream, Bitnami provides VEX assessment data which explains how the CVE will impact the application so customers can quickly triage the risk profile of the vulnerability.
Comprehensive SBOMs
Bitnami automatically fetches the source code directly for the application, the source URL, version, and license—information that cannot be discovered just by scanning the image. This means Bitnami can identify what is in your software with deeper and more transparent insight, making audits easier, reducing risk, and improving supply chain security (a good definition for this is provided by SLSA).
Many vendors use scanning tools to generate software bill of materials (SBOMs) documents from an image. While scanners can provide a certain level of visibility, they often don’t recognize the proper licenses or binaries that are not part of packages, since there is no metadata to rely on. This means you don’t have comprehensive coverage of what’s inside of the software you are ingesting. Bitnami, on the other hand, builds the SBOMs from the very first build steps in the pipeline.
Bitnami’s enduring enterprise appeal
For organizations that run their businesses on open source, Bitnami is the option that provides the most transparency, enabling them to respond quickly to security breaches and weaknesses. Bitnami continues to pioneer the way enterprises use open source with rapid releases of CVEs, sometimes within hours of availability. Our transparent approach ensures organizations can act with full knowledge of their choices and the implications that follow. To see what it’s like, check out Bitnami’s catalog of over 280 secure and hardened container images today, and contact us for a free trial.
