2025/FreeBSD: import the 2025 October update

Signed-off-by: Pierre Pronchery <pierre@freebsdfoundation.org>

Author: khorben

alpha/engagements/2025/FreeBSD/README.md

@@ -6,20 +6,21 @@ In 2025, the FreeBSD Project has been selected for the Alpha Omega Beach
 Cleaning project. The deliverables and outcomes are expected as follows:
 
 1. Inventory of FreeBSD's dependencies
-1. Observational anecdotal assessment
-1. Develop and share rapid review methodologies
-1. Prioritized list of most obvious risky or needy dependencies
-1. Plan for each risky dependency
-1. Execute on the plan for risky dependency
-1. Work with the respective stakeholders on tooling for automation
-1. Document and formalize community owners for each dependency
+2. Observational anecdotal assessment
+3. Develop and share rapid review methodologies
+4. Prioritized list of most obvious risky or needy dependencies
+5. Plan for each risky dependency
+6. Execute on the plan for risky dependency
+7. Work with the respective stakeholders on tooling for automation
+8. Document and formalize community owners for each dependency
 
 ## Monthly Updates
 
 * [June 2025](update-2025-06.md)
 * [July 2025](update-2025-07.md)
 * [August 2025](update-2025-08.md)
 * [September 2025](update-2025-09.md)
+* [October 2025](update-2025-10.md)
 
 ## Notes on the FreeBSD Security team and policies
 

alpha/engagements/2025/FreeBSD/update-2025-10.md

@@ -0,0 +1,99 @@
+# FreeBSD Update - October 2025
+
+## Immediate tasks
+
+One more major task was tackled this month, as per the timeline proposed for the
+project:
+
+* Propose list of priorities
+
+The next task, planning the respective actions, is being coordinated with two
+committees of the FreeBSD Project (secteam@ and srcmgr@) and still ongoing.
+
+Connections have also been made with two other initiatives, where collaboration
+is believed to be mutually beneficial: the Open Regulatory Compliance Working
+Group (ORC WG) on one hand, and the Software Bill of Materials (SBOM) initiative.
+Both are relevant to the new Cyber Resilience Act (CRA) from the European
+Union, and rely on the same information gathered as part of this project.
+
+## Timeline
+
+The current timeline looks as follows:
+ 
+| Phase                          | Start date | End date   | Status  |
+| ------------------------------ | ---------- | ---------- | ------- |
+| Inventory of dependencies      | 25/08/2025 | 07/09/2025 | Done    |
+| Security risk assessments      | 08/09/2025 | 21/09/2025 | Done    |
+| Propose list of priorities     | 22/09/2025 | 28/09/2025 | Done    |
+| Plan the respective actions    | 29/09/2025 | 26/10/2025 | Ongoing |
+| Formalize code owners          | 27/10/2025 | 30/11/2025 |         |
+| Integrate review methodologies |      _continuous_      ||         |
+| Plan execution & coordination  |      _continuous_      ||         |
+| Final report                   | 09/03/2026 | 30/03/2026 |         |
+
+### Task: Inventory of dependencies
+
+The inventory of third-party software used in the base system was completed,
+according to new information obtained from other FreeBSD developers.
+
+The
+[corresponding](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/dependencies.md)
+[deliverables](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/security.md)
+were re-generated accordingly from the [YAML
+database](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/database.yml),
+as before.
+
+### Task: List of priorities
+
+A first list of priorities was communicated to the security team (secteam@)
+where the most critical components identified were:
+
+1. libfido2, OpenSSL, WireGuard, and ZFS (score: 4)
+2. ACPI, BearSSL, Kerberos, libcbor, Lua, OpenPAM, OpenSSH, and zlib (score: 3)
+
+### Task: Plan the respective actions
+
+In response, additional metrics have been proposed by the source management team
+(srcmgr@) and will be investigated in November:
+
+* version gap,
+* time since last import, (if not forked)
+* presence and re-use of a test suite,
+* distance from upstream... (size of the patch)
+
+An automated mechanism to identify the current version of the dependencies
+installed is [currently being
+implemented](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/tree/khorben/versions/src/versions).
+
+This is expected to help determine the actual plan, together with the relevant
+committees of the FreeBSD Project.
+
+### Collaboration: CRA and SBOM
+
+The community around the CRA has now started to focus on self-attestations, in
+order to help Stewards for Open Source projects to comply with their
+responsibilities, and to communicate efficiently with any manufacturer
+downstream.
+
+In practice, this is expected to involve the creation of artefacts called SBOMs,
+a machine-readable inventory listing the components of a system, along with
+their respective provenance, dependencies and consumers, point of contact,
+licence, version and patch number, etc.
+
+This information is already being gathered as part of the beach cleaning
+project. The program converting the current database into the deliverables for
+this project has been extended in order to generate files in the [pkg-config
+format](https://people.freedesktop.org/~dbn/pkg-config-guide.html), to then be
+converted in the [SPDX format](https://spdx.dev) with the
+[bomtool](https://ariadne.space/2025/02/08/c-sboms-and-how-pkgconf.html)
+utility.
+
+This work is already taking place within the FreeBSD community for its
+[ports](https://ports.freebsd.org/cgi/ports.cgi) but a gap subsisted for the base
+system. The outcome of this contribution is relevant to this gap. The generation
+of the corresponding artefacts is still in-progress, but can be found here:
+
+* [pkgconfig
+   files](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/pkgconfig)
+* [SPDX
+   files](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/spdx)