V OpenVet / docs
/ landscape / Project Lightwell

Project Lightwell

Red Hat's announced initiative to scan, backport, test, sign, and deliver patched versions of upstream open-source artefacts to enterprise customers on their pinned versions.

What it is #

Project Lightwell is a Red Hat initiative (in development, with early adopters; commercial subscription planned) to deliver patched versions of upstream open-source artefacts to enterprise customers. The stated scope covers independent libraries, language toolchains, AI frameworks, and data streaming platforms.

The promise is a pipeline applied to packages in that scope: scan for issues, backport fixes, test the result, sign it, and deliver it at the customer’s pinned version. Fixes are contributed upstream in parallel. Two parts of this set Lightwell apart from rebuild-on-upstream-fix offerings like Chainguard or Bitnami:

  • Backporting to pinned versions. Customers do not have to upgrade a major version to receive a fix; Red Hat applies the fix to the version they already depend on. Chainguard and Bitnami expect customers to roll forward to the latest patched build.
  • Proactive issue-finding. The “scan” step implies Red Hat looks for issues themselves rather than waiting for upstream CVE feeds. What that scan actually entails is not detailed publicly, and the offering does not promise structured audits: patches are the unit of delivery, not signed claims about properties of the code.

Trust model #

Trust in Lightwell is single-anchor and commercial. Customers trust Red Hat to identify issues correctly, write or apply correct backports, test the result, and sign the artefact. Signing infrastructure and verification specifics have not been publicly detailed.

Lightwell’s claim about an artefact is about the patches Red Hat has applied: this version, plus these named fixes, built and tested by Red Hat. Backporting requires reading the patch, and proactive scanning involves looking at the code, but the offering does not claim the rest of the package has been reviewed for unknown issues.

Comparison to OpenVet #

Lightwell and OpenVet address different points in the same problem, and can be used together.

What is being attested. Lightwell attests what fixes have been applied to a pinned version of an upstream artefact. OpenVet helps you make attestations about the code itself: whether it is malicious, whether it is implemented correctly, whether there are findings consumers should know about. Lightwell’s work intersects the code (backporting requires reading the patch, scanning involves looking at the code), but the unit of delivery is a patched artefact, not signed claims about properties of the source.

Trust set. Lightwell customers trust one signing identity: Red Hat’s. OpenVet consumers list one or more log URLs in openvet.toml, each independently signed by its owner. One is a single commercial trust anchor, the other is a configurable set.

Scope of artefacts. Lightwell’s stated coverage is “independent libraries, language toolchains, AI frameworks, and data streaming platforms”, to be expanded as the programme scales. OpenVet covers the full package set of each supported ecosystem (Cargo, npm, PyPI, Go modules, RubyGems), since audits attach to packages that already exist in those registries.

Cost and access. Lightwell is offered through commercial subscriptions to Red Hat customers. OpenVet is open infrastructure: running an audit log requires no agreement with anyone. Audits are licensed under permissive licenses, giving you the right to use them however you like at no cost.

Using alongside OpenVet #

The two are complementary along the same axis as Chainguard or Bitnami: a vendor doing engineering against the artefact you consume, plus an open record of what auditors you trust have said about the source.

Backporting is not auditing. Lightwell promises that someone is actively patching your pinned dependencies as issues surface, whether reported upstream or found by Red Hat’s own scanning. That is a real service and it does involve reading code. It is distinct from “has anyone reviewed this code and recorded structured claims about it”, which is the question OpenVet is built around.

Stacking them. Use Lightwell (where available) to keep pinned dependencies patched without forced upgrades, and OpenVet to check whether the source dependencies of your own application have been audited by people you trust. The two answer different questions about the same supply chain.

Where the contracted scope ends. Lightwell’s coverage is what Red Hat’s clearinghouse has agreed to maintain for its customers. For anything outside that scope, the customer is back to upstream behaviour and self-managed updates. OpenVet does not change that, but it does provide a way to share source-review work across consumers without going through a commercial intermediary.

Edit this page on GitLab