> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# OS Package Registry Overview

> Continuously patched OS packages for Debian, Ubuntu, and Alpine Linux - delivered via pkg.root.io.

Root's OS Package Registry (`pkg.root.io`) provides continuously patched versions of operating system packages for Debian, Ubuntu, and Alpine Linux. It closes the security gap between your hardened base image and the additional OS packages you install during Docker builds via `apt-get` or `apk`.

Even when using a Root Image Catalog (RIC) base image with zero CVEs, installing additional OS packages like `curl`, `git`, `openssl`, or `libcurl` can reintroduce vulnerabilities. The OS Package Registry eliminates this risk by serving Root-patched versions of those packages.

## How It Works

1. **You configure** `pkg.root.io` as an additional package repository in your Dockerfile.
2. **You install** packages using the `rootio-` prefix (e.g., `rootio-curl` instead of `curl`).
3. **Root serves** the patched version if available; if not, you fall back to the upstream package automatically.
4. **Root discovers** which packages your organization uses through install requests and monitors them under your SLA.

Root-patched OS packages are drop-in replacements - same functionality, same version, with CVEs remediated.

## Supported Distros & Package Managers

| OS           | Package Manager | Registry URL                    | Supported Versions                    |
| ------------ | --------------- | ------------------------------- | ------------------------------------- |
| Debian       | APT             | `pkg.root.io/debian/<codename>` | trixie, bookworm, bullseye            |
| Ubuntu       | APT             | `pkg.root.io/ubuntu/<codename>` | oracular, noble, mantic, jammy, focal |
| Alpine Linux | APK             | `pkg.root.io/alpine/<version>`  | 3.22–3.18                             |

## Combining with RIC and RLC

The OS Package Registry is designed to work alongside Root's other products for complete stack coverage:

| Layer            | Product                    | What it secures                                               |
| ---------------- | -------------------------- | ------------------------------------------------------------- |
| Base image       | Root Image Catalog (RIC)   | Container base images from `cr.root.io`                       |
| OS packages      | OS Package Registry        | Packages installed via `apt-get` / `apk` from `pkg.root.io`   |
| App dependencies | Root Library Catalog (RLC) | Python, JavaScript, Java, and Go libraries from `pkg.root.io` |

**Recommended Dockerfile structure:**

```dockerfile theme={null}
# Layer 1: Secured base image from RIC
FROM cr.root.io/python:3.11-slim-bookworm

# Layer 2: Secured OS packages from OS Package Registry
ARG ROOTIO_API_KEY
RUN <configure pkg.root.io and install rootio-* packages>

# Layer 3: Secured app dependencies from RLC
RUN pip config set global.index-url https://pkg.root.io/pypi/simple \
    && pip install -r requirements.txt
```

## Subscribing to OS Packages

Root tracks packages your organization installs through `pkg.root.io`. To manage your subscribed OS packages:

1. Navigate to **My Library** in [app.root.io](https://app.root.io).
2. Filter by the **OS Packages** ecosystem.
3. View discovered packages, their vulnerability status, and whether a Root-patched version is available.

You can also request support for additional packages that Root doesn't yet patch by using the **Submit Package Request** option in the UI.