Add build criteria content for libraries (#3293)

s-stumbo · web-flow · commit a364f6d66657 · 2026-05-05T09:20:42.000-04:00
[ ] Check if this is a typo or other quick fix and ignore the rest :) ## Type of change Update to Libraries overview ### What should this PR do? Add content on build criteria, licensing and scope availability, version support ### Why are we making this change? Requested in this thread: https://chainguard-dev.slack.com/archives/C0962EGMS3F/p1777559146860869?thread_ts=1777405982.409859&cid=C0962EGMS3F Issue documented here: https://github.com/orgs/chainguard-dev/projects/166/views/14?pane=issue&itemId=182364463&issue=chainguard-dev%7Cinternal%7C5824 ### What are the acceptance criteria? Content should be clear and accurate and appear in the expected location ### How should this PR be tested? Review the deploy preview --------- Signed-off-by: s-stumbo <sally.stumbo@chainguard.dev>
diff --git a/content/chainguard/libraries/overview.md b/content/chainguard/libraries/overview.md
@@ -99,7 +99,32 @@ Chainguard Libraries is available for the following library ecosystems:
 * Python and the larger ecosystem with
   [Chainguard Libraries for Python](/chainguard/libraries/python/overview/)
 
-## Library version support
+## Chainguard criteria for building a library
+
+Chainguard Libraries includes thousands of Java, JavaScript, and Python libraries, and coverage is continuously growing as we add more packages and versions over time. Chainguard aims to build libraries that are relevant to our customers and that support broader software supply chain security goals. However, it is not always feasible or safe to rebuild and redistribute every package from public registries such as Maven Central, npm, or PyPI.
+
+### Licensing and source availability
+
+Chainguard Libraries are rebuilt from upstream source code, not mirrored binaries from public registries. For a library to be in scope:
+
+* Source code must be available and verifiable
+    * The project’s source must be available in a source code manager (such as GitHub or GitLab). Packages that do not provide a valid or verifiable source URL cannot be rebuilt in the Chainguard Factory and are out of scope.
+* Licensing must allow rebuild and redistribution
+    * The project must be licensed in a way that allows Chainguard to rebuild and redistribute it to customers.
+
+### Library version support
+
+Chainguard builds libraries using supported language toolchains in our hardened build environment. We do not aim to replicate all historical runtime environments exactly, but we do attempt to preserve runtime compatibility where it is safe to do so. For older or EOL projects, our ability to build and remediate issues is constrained by runtime compatibility and by upstream maintenance practices.
+
+Our current minimum supported toolchains are:
+
+* **Python**: Python 3.10 and higher.
+* **Java**: Java 8 and higher.
+* **JavaScript**: Any supported, non-EOL version of Node.js. 
+
+We will attempt to rebuild any libraries that meet the [licensing and source availability criteria](#licensing-and-source-availability) using the supported toolchains.
+
+### EOL version support
 
 When a library version reaches end of life (EOL) upstream, Chainguard Libraries continues to build packages and provide security fixes for that version for six months beyond the upstream EOL date.
 
