An ‘EmeritOSS’ effort maintains archived open-source projects

Even codebases deserve a comfortable retirement.

An abandoned software repo presents challenges for teams and companies that rely on it. When a widely used library loses an active maintainer and then a vulnerability is discovered, there may be no one around to merge fixes.

That was the worry in November 2025, according to Dan Lorenc, CEO and co-founder of open-source security company Chainguard, when a blog announcement revealed that Ingress NGINX, a favorite component of open-source application orchestrator Kubernetes, would no longer take on additional bug fixes, releases, or security updates.

A month later, Chainguard announced a program to support “mature,” retired, and sometimes abandoned codebases: EmeritOSS (where the OSS refers to “open source software”).

“This, combined with a bunch of the other efforts out there, I think are critical to keeping open-source healthy for everyone in the long term,” Lorenc said.

How it works. EmeritOSS acts as “a home for successful abandoned open-source projects,” Chainguard Senior Principal Developer Relations Engineer Manfred Moser said during the company’s December 2025 announcement of the effort.

The company’s own staff continues maintenance by creating a public “fork” of the original project (a spun-off copy, essentially) as a way to step in and keep things going. With that copy, the EmeritOSS team updates dependencies and code changes to resolve security issues. They also handle any new updates or versions if people decide to work on the project at a future date.

The Chainguard group has picked up additional “inductees” like Kubeapps (another Kubernetes manager) and Google’s Kaniko project, which builds container images. (You can submit an application for a new project. In a follow-up email to IT Brew, Lorenc wrote that projects are selected “based on their proven, real-world use and the risk of becoming unmaintained, focusing on mature software that still underpins production systems but no longer has active maintainers,” and that “any individual can submit a project for consideration for the program.”)

The name itself is meant to suggest that an open-source developer deserves some emeritus-style relief after a job well done.

“You’ve graduated,” Lorenc said. “Congratulations. You did something great for the world. Now go do something else with the rest of your time,” he said. (The group announced 10 additional EmeritOSS projects in January of this year, bringing the total to 13.)

Open season. According to open-source software security company Sonatype’s 2026 State of the Software Supply Chain report, 5% to 15% of components in enterprise dependency graphs are “end of life” (EOL), or abandoned without patching capabilities, “meaning EOL exposure is present even when teams believe they are only using supported top-level libraries.”

“These dependencies create permanent exposure: organizations inherit flaws that cannot be remediated upstream, locking long-term risk into the foundation of their software,” Sonatype argues in its study.

Open-source projects have faced infiltration efforts—most notably in early 2024 when a programmer attempted to sneak a backdoor into Linux’s xz data compression library—as well as recent compromises of popular software components like the open-source package Axios.

EmeritOSS exists alongside other efforts to support continuity and advanced warning of open-source vulnerabilities, including the Securing Critical Projects Working Group (which aims to identify the high-value projects and protect them) and a security “scorecard” assessment from the Open Source Security Foundation. (GitHub also offers guidance on how to create new, forked repos.)

Wait and see. But there’s a lot of open-source code out there, and projects like EmeritOSS, like the State of Florida, can only take in so many retirees.

“We’re doing a good job now, but what if the work gets too much for the team all of a sudden? It’s hard to predict. How big can we scale it with that team? And we’re a company, at the end of the day. We’re paying for this,” Lorenc said. “Is the ROI there?”