Merge pull request #539 from DeforaNetworks/freebsd-202509

2025/FreeBSD: import the 2025 September update

Author: micmarti85

alpha/engagements/2025/FreeBSD/README.md

@@ -19,6 +19,7 @@ Cleaning project. The deliverables and outcomes are expected as follows:
 * [June 2025](update-2025-06.md)
 * [July 2025](update-2025-07.md)
 * [August 2025](update-2025-08.md)
+* [September 2025](update-2025-09.md)
 
 ## Notes on the FreeBSD Security team and policies
 

alpha/engagements/2025/FreeBSD/update-2025-09.md

@@ -0,0 +1,71 @@
+# FreeBSD Update - September 2025
+
+## Immediate tasks
+
+Two major tasks were tackled this month, as per the timeline proposed for the
+project:
+
+* Inventory of dependencies
+* Assessment of the corresponding security risks
+
+The next task, planning the respective actions, will effectively start in
+October.
+
+## Timeline
+
+The current timeline looks as follows:
+ 
+| Phase                          | Start date | End date   | Status  |
+| ------------------------------ | ---------- | ---------- | ------- |
+| Inventory of dependencies      | 25/08/2025 | 07/09/2025 | Done    |
+| Security risk assessments      | 08/09/2025 | 21/09/2025 | Done    |
+| Propose list of priorities     | 22/09/2025 | 28/09/2025 | Ongoing |
+| Plan the respective actions    | 29/09/2025 | 26/10/2025 |         |
+| Formalize code owners          | 27/10/2025 | 30/11/2025 |         |
+| Integrate review methodologies |      _continuous_      ||         |
+| Plan execution & coordination  |      _continuous_      ||         |
+| Final report                   | 09/03/2026 | 30/03/2026 |         |
+
+### Task: Inventory of dependencies
+
+A first inventory of third-party software used in the base system was gathered,
+and sorted into the following categories:
+
+* Build dependency,
+* Boot-time/firmware,
+* Kernel code,
+* Toolchain or run-time support,
+* System or network service,
+* Libraries,
+* Cryptography, or
+* End-user applications.
+
+The [corresponding
+deliverable](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/security.md)
+is now generated from a [YAML
+database](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/database.yml),
+also meant to be used as a reference for the subsequent tasks in this project.
+
+This task re-used and aims at completing existing documentation from the FreeBSD
+project, as can be found in the
+[MAINTAINERS](https://github.com/FreeBSD/freebsd-src/blob/main/MAINTAINERS)
+file.
+
+Some software is written by official FreeBSD developers but primarily hosted or
+maintained outside of the FreeBSD project itself; these dependencies are meant
+to be included in this list as well, but are more difficult to identify.
+
+### Task: Security risk assessments
+
+The software identified in the list of priorities was rated according to a list
+of metrics: impact on developer systems or on the build infrastructure, on the
+integrity of the hardware or at the Operating System level (e.g., kernel or
+run-time), on network exposure, on the security of operations, on authentication
+capabilities, or more generally on the user applications.
+
+The most critical components identified so far are ZFS, WireGuard, OpenSSL, and
+libfido2.
+
+### Task: List of priorities
+
+This task has not started yet.