Root.io

  New!Learn how Root compares to Chainguard 
Menu
Login
Sign Up

Open Source, Done Right: Root’s Commitment to Transparency and Trusted Images

Mickey Gordon

At Root, our mission is guided by a fundamental belief: if you’re going to modify and distribute open-source software, you owe it to the community to do so transparently. This isn’t just a nod to legal compliance—it’s a philosophy that puts integrity, accessibility, and trust at the heart of modern software distribution.

As software supply chain threats grow in complexity, organizations need trusted partners who offer not only secure technology but clear, verifiable processes. That’s why Root has invested in a robust open-source strategy, compliance infrastructure, and recently, achieved Docker Verified Publisher status—all powerful signals of our commitment to building a healthier, more secure open-source ecosystem.

Transparency in Action: Three Scenarios That Define Root’s Approach

Transparency at Root means more than just sharing data—it means making it actionable. We anchor this belief across three practical OSS distribution models:

  1. Security-Patching Customer-Owned Images (Paid Access)

    • Root applies automated, backported security patches to your container images—without taking over your base.

    • We ensure GPL-3.0 source code is published by default, and GPL-2.0 available on request.

    • Dockerfiles, patch files, and compliance notes are publicly available in our GitHub repositories.

  2. Facilitating Upstream Upgrades (Paid Access)

    • We help customers upgrade via unmodified upstream containers (e.g., official images from Debian or Alpine).

    • Root doesn’t modify these images—so original OSS licenses apply.

    • Source references and documentation are always linked for transparency.

  3. Distributing Patched Public Images (Free Access)

    • Root offers nearly 40 secure, low-vulnerability images on Docker Hub, enhanced for security and efficiency.

    • Each image includes a README detailing license obligations, modifications, and links to full source code and build instructions.

Docker Verified Publisher: A Seal of Trust

Root’s inclusion in the Docker Verified Publisher program is a direct result of our OSS transparency principles. This badge tells developers and enterprises that:

  • Our images are authentic, secure, and verified directly by Docker.

  • They are free from hidden vulnerabilities or licensing surprises.

  • We maintain a high bar for compliance and update transparency.

Root currently offers secure versions of popular base images like:

All are built to reduce vulnerability surface area, with full compliance documentation embedded in each repo.

The Root Trust Center and OSS Commitment

Legal fine print shouldn’t be a blocker to OSS adoption. That’s why we built the Root Trust Center and published our Open Source Commitment to give developers and organizations clear, actionable resources that help them:

  • Understand Root’s OSS licensing obligations and fulfillment.

  • Access SOC 2 Type II reports and security practices.

  • Download source code, patch files, and attribution documentation.

  • Ensure long-term OSS compliance with retention and audit-ready practices.

We believe OSS compliance should be:

  • Straightforward – clear attribution and legal clarity.

  • Accessible – source and build artifacts always public.

  • Defensive – avoiding unintentional violations like trademark misuse or improper bundling.

  • Persistent – compliance artifacts retained for 3+ years.

Why Trust in Open Source Matters More Than Ever

Software supply chains are now critical infrastructure. A single vulnerability—intentionally introduced or accidentally overlooked—can cause cascading failures across industries.

Root’s approach to OSS and container transparency isn’t about satisfying a legal checklist. It’s about building institutional confidence in open-source workflows. It’s about helping teams deploy faster while knowing exactly what’s running in their environments.

With Root, you get:

  • Secure, verified images you can trust

  • End-to-end visibility into modifications and license terms

  • A partner committed to helping you build responsibly

Get Started

Visit our Docker Hub profile to explore verified images, or check out our Trust Center for details on how we’re raising the bar in container security and open-source stewardship.

Mickey Gordon

Mickey Gordon, CPO and co-founder of Root, is a seasoned product leader specializing in developer tools, DevEx, and Product-Led Growth (PLG). Before Root, Mickey was Director of Product at Cloudinary, where he led Media Management & Intelligence, Developer Experience, and Self-Service Growth, driving adoption among over 1.5 million developers. At Cloudinary, he also spearheaded AI-powered workflows that enabled developers to generate and manage media at scale. With a strong technical background and a track record of building high-impact, developer-first products, Mickey is now focused on revolutionizing container security, making vulnerability remediation seamless for developers and security teams.

root.io