From 83c2b37a0d3133ef8dfa908a903c3ecce1c7fb0c Mon Sep 17 00:00:00 2001 From: Pierre Pronchery Date: Wed, 5 Nov 2025 17:15:58 +0100 Subject: [PATCH] 2025/FreeBSD: import the 2025 October update Signed-off-by: Pierre Pronchery --- alpha/engagements/2025/FreeBSD/README.md | 15 +-- .../2025/FreeBSD/update-2025-10.md | 99 +++++++++++++++++++ 2 files changed, 107 insertions(+), 7 deletions(-) create mode 100644 alpha/engagements/2025/FreeBSD/update-2025-10.md diff --git a/alpha/engagements/2025/FreeBSD/README.md b/alpha/engagements/2025/FreeBSD/README.md index 031238f0..9c3aaac2 100644 --- a/alpha/engagements/2025/FreeBSD/README.md +++ b/alpha/engagements/2025/FreeBSD/README.md @@ -6,13 +6,13 @@ In 2025, the FreeBSD Project has been selected for the Alpha Omega Beach Cleaning project. The deliverables and outcomes are expected as follows: 1. Inventory of FreeBSD's dependencies -1. Observational anecdotal assessment -1. Develop and share rapid review methodologies -1. Prioritized list of most obvious risky or needy dependencies -1. Plan for each risky dependency -1. Execute on the plan for risky dependency -1. Work with the respective stakeholders on tooling for automation -1. Document and formalize community owners for each dependency +2. Observational anecdotal assessment +3. Develop and share rapid review methodologies +4. Prioritized list of most obvious risky or needy dependencies +5. Plan for each risky dependency +6. Execute on the plan for risky dependency +7. Work with the respective stakeholders on tooling for automation +8. Document and formalize community owners for each dependency ## Monthly Updates @@ -20,6 +20,7 @@ Cleaning project. The deliverables and outcomes are expected as follows: * [July 2025](update-2025-07.md) * [August 2025](update-2025-08.md) * [September 2025](update-2025-09.md) +* [October 2025](update-2025-10.md) ## Notes on the FreeBSD Security team and policies diff --git a/alpha/engagements/2025/FreeBSD/update-2025-10.md b/alpha/engagements/2025/FreeBSD/update-2025-10.md new file mode 100644 index 00000000..10a58dd9 --- /dev/null +++ b/alpha/engagements/2025/FreeBSD/update-2025-10.md @@ -0,0 +1,99 @@ +# FreeBSD Update - October 2025 + +## Immediate tasks + +One more major task was tackled this month, as per the timeline proposed for the +project: + +* Propose list of priorities + +The next task, planning the respective actions, is being coordinated with two +committees of the FreeBSD Project (secteam@ and srcmgr@) and still ongoing. + +Connections have also been made with two other initiatives, where collaboration +is believed to be mutually beneficial: the Open Regulatory Compliance Working +Group (ORC WG) on one hand, and the Software Bill of Materials (SBOM) initiative. +Both are relevant to the new Cyber Resilience Act (CRA) from the European +Union, and rely on the same information gathered as part of this project. + +## Timeline + +The current timeline looks as follows: + +| Phase | Start date | End date | Status | +| ------------------------------ | ---------- | ---------- | ------- | +| Inventory of dependencies | 25/08/2025 | 07/09/2025 | Done | +| Security risk assessments | 08/09/2025 | 21/09/2025 | Done | +| Propose list of priorities | 22/09/2025 | 28/09/2025 | Done | +| Plan the respective actions | 29/09/2025 | 26/10/2025 | Ongoing | +| Formalize code owners | 27/10/2025 | 30/11/2025 | | +| Integrate review methodologies | _continuous_ || | +| Plan execution & coordination | _continuous_ || | +| Final report | 09/03/2026 | 30/03/2026 | | + +### Task: Inventory of dependencies + +The inventory of third-party software used in the base system was completed, +according to new information obtained from other FreeBSD developers. + +The +[corresponding](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/dependencies.md) +[deliverables](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/security.md) +were re-generated accordingly from the [YAML +database](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/database.yml), +as before. + +### Task: List of priorities + +A first list of priorities was communicated to the security team (secteam@) +where the most critical components identified were: + +1. libfido2, OpenSSL, WireGuard, and ZFS (score: 4) +2. ACPI, BearSSL, Kerberos, libcbor, Lua, OpenPAM, OpenSSH, and zlib (score: 3) + +### Task: Plan the respective actions + +In response, additional metrics have been proposed by the source management team +(srcmgr@) and will be investigated in November: + +* version gap, +* time since last import, (if not forked) +* presence and re-use of a test suite, +* distance from upstream... (size of the patch) + +An automated mechanism to identify the current version of the dependencies +installed is [currently being +implemented](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/tree/khorben/versions/src/versions). + +This is expected to help determine the actual plan, together with the relevant +committees of the FreeBSD Project. + +### Collaboration: CRA and SBOM + +The community around the CRA has now started to focus on self-attestations, in +order to help Stewards for Open Source projects to comply with their +responsibilities, and to communicate efficiently with any manufacturer +downstream. + +In practice, this is expected to involve the creation of artefacts called SBOMs, +a machine-readable inventory listing the components of a system, along with +their respective provenance, dependencies and consumers, point of contact, +licence, version and patch number, etc. + +This information is already being gathered as part of the beach cleaning +project. The program converting the current database into the deliverables for +this project has been extended in order to generate files in the [pkg-config +format](https://people.freedesktop.org/~dbn/pkg-config-guide.html), to then be +converted in the [SPDX format](https://spdx.dev) with the +[bomtool](https://ariadne.space/2025/02/08/c-sboms-and-how-pkgconf.html) +utility. + +This work is already taking place within the FreeBSD community for its +[ports](https://ports.freebsd.org/cgi/ports.cgi) but a gap subsisted for the base +system. The outcome of this contribution is relevant to this gap. The generation +of the corresponding artefacts is still in-progress, but can be found here: + +* [pkgconfig + files](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/pkgconfig) +* [SPDX + files](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/spdx)