Date: Wed, 04 Feb 2026 16:44:38 +0000 From: Joseph Mingrone <jrm@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 66ecb4ba94 - main - status/2025q4: Add FreeBSD Foundation STA entry Message-ID: <69837776.18884.c902b52@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by jrm: URL: https://cgit.FreeBSD.org/doc/commit/?id=66ecb4ba940e913a1ac10490a388ffa6aeddb15e commit 66ecb4ba940e913a1ac10490a388ffa6aeddb15e Author: Joseph Mingrone <jrm@FreeBSD.org> AuthorDate: 2026-01-29 20:50:57 +0000 Commit: Joseph Mingrone <jrm@FreeBSD.org> CommitDate: 2026-02-04 16:36:44 +0000 status/2025q4: Add FreeBSD Foundation STA entry Author: Alice Sowerby <alice@freebsdfoundation.org> Reviewed by: status (salvadore) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D54950 --- .../report-2025-10-2025-12/foundation-sta.adoc | 136 +++++++++++++++++++++ 1 file changed, 136 insertions(+) diff --git a/website/content/en/status/report-2025-10-2025-12/foundation-sta.adoc b/website/content/en/status/report-2025-10-2025-12/foundation-sta.adoc new file mode 100644 index 0000000000..0b852c2227 --- /dev/null +++ b/website/content/en/status/report-2025-10-2025-12/foundation-sta.adoc @@ -0,0 +1,136 @@ +=== Infrastructure Modernization + +Contact: Ed Maste <emaste@FreeBSD.org> + +Contact: Alice Sowerby <alice@freebsdfoundation.org> + +The project started in Q3 of 2024 and was commissioned by the Sovereign Tech Agency with a budget of $745,000, to be spent until the end of 2025. +The main goals are to improve security tools for the base system, ports, and packages, update the project's infrastructure to speed up development, enhance build security, and make it easier for new developers to get started. + +For more detailed information and updates, please visit the new link:https://github.com/FreeBSDFoundation/all-projects/tree/main/Infrastructure%20Modernization%20(STA%20commissioned)[project information repo]. + +==== Q4 update + +All five work packages are complete as of the end of December 2025 and the project is closed. +At the time of writing (mid-December) some elements are still in review and these have been handed over to Foundation staff to land appropriately. + +===== Work Package A: Technical Debt Reduction + +This work package was completed in September 2025. +The project successfully ran alongside the setting up of the FreeBSD Project's Source Management team as they created and embedded their new processes to make bug management easier and more sustainable. + +The scope was co-created with srcmgr@. + +Work items are as follows: + +* Create a dashboard for the Source Management team to get a clearer picture of the bug backlog, and how effectively it is being managed (e.g. Time to First Attention for new bugs). +** Output: https://grimoire.freebsd.org/ +* Upgrade Bugzilla to a supported release to improve security and benefit from new functionality. +** Output: https://wiki.freebsd.org/Bugzilla/Roadmap +* Create a method for applying patches automatically. +** Output: https://github.com/linimon/patchQA +* Creating upstream documentation for running GrimoireLab (bug dashboard) on FreeBSD. +** Output: https://github.com/chaoss/grimoirelab/blob/main/FreeBSD.md + +===== Work Package B: Zero Trust Builds + +This work package has made it possible to build FreeBSD reproducibly, and without requiring root privilege. + +The detailed scope was co-created with core@, srcmgr@, secteam@. + +Work items are as follows: + +* Must +** No-root for all source release build cases/artifacts (complete) +** Src artifacts to build reproducibly (complete) +** Formalize and document make world and release.sh (in review) +* Should +** Remove privilege from orchestration tooling (descoped due to an alternative solution being likely in the medium-term) +** Move build scripts into the public repository (in review) +** Address dependencies (complete) +* Could +** Environment Standardization (in review) +** Ports to build reproducibly (in review) +** CI to verify reproducibility (in review) +** Documentation to allow 3rd parties to confirm reproducibility (in review) + +===== Work Package C: CI/CD Automation + +This work package has improved CI/CD automation to streamline software delivery and operations for new and existing software by modernizing and securitizing the existing CI/CD system and extending it to cover the third party packages in the FreeBSD Ports Collection. + +The detailed scope was co-created with core@, srcmgr@, portmgr@, doceng@. + +Work items are as follows: + +* Must +** Improve quality of incoming commits (in review) +** Pre-merge CI (complete) +** Environment Metadata (complete) +** Extend CI to the Ports tree (in review) +** CI Threat Model (in review) +** CI Management Process (in review) +** Documentation (in review) +* Should +** 3rd-party Interoperability (in review) +** Automated analysis in tests (in review) +** Test Case Management (in review) +* Could +** Granular Debugging (in review) + +===== Work Package D: Ports and Packages security improvements + +This work package improved security for the FreeBSD Ports and Package Collection in several ways. +We added support for the OSV (Open Source Vulnerability) format, which is a standardized way to describe security vulnerabilities. +We also built basic tools to download vulnerability information from global security databases, with a particular focus on the NIST Common Platform Enumeration (CPE) Dictionary. + +The man:pkg[8] tool can now create and read CPE strings, though it does not yet support CPE JSON format. +We wrote new test cases for CPE and OSV parsing, and updated the existing man:pkg[8] security audit tests. +Additionally, we created a test repository that converts FreeBSD vulnerability data to OSV format, which works with man:pkg[8]. +This test repository has been reviewed for accuracy, and the process of converting from the old FreeBSD VuXML format to the new OSV format is now straightforward. + +The detailed scope was co-created with core@, portmgr@, pkgmgr@, secteam@. + +Work items are as follows: + +* Must +** New Database Format (complete) +** Set up 2+ Database Instances (descoped due to time constraints) +** Migrate Data from old to new database (POC complete) +** Add support for new format in man:pkg[8] (complete) +** Upstream engagement (complete) +** SBOM on demand (in review) +** Document how to set up build and test targets (in review) +** Integrate 3rd party test targets (descoped due to time constraints) +** Continuous Testing (in review) +* Could +** Make CI artifacts available (descoped due to time constraints) + +===== Work Package E: SBOM improvements + +This work package delivered foundational improvements to the tools and processes for generating the FreeBSD Software Bill of Materials (SBOM). + +We made changes (currently under review) to consolidate individual provenance data from both the base system and ports trees into a unified, higher-level view. +We also created tooling that can scan the FreeBSD source tree and generate an SBOM report covering the entire software stack. + +The FreeBSD ports tree already had good metadata for creating SBOMs and established tools for tracking package dependencies, so our SBOM solutions for ports are now mature and in the review stage. +However, the FreeBSD base system uses a completely different build system, with SBOM information scattered throughout the repository. +The main challenge here has been gathering all the dependencies and package information into one place. +As a result, SBOM creation for the FreeBSD base system is still at the technical preview stage with only example data currently available. + +A follow-on project has been commissioned for early 2026 to build on the foundational elements and develop a full, robust SBOM solution. + +The detailed scope was co-created with core@, portmgr@, pkgmgr@, secteam@, releng@. + +Work items are as follows: + +* Must +** Evaluate projects/solutions available in the wider ecosystem (complete) +** Propose the target solution for SBOM (in review) +** Produce an SBOM in CI (e.g. weekly builds) (descoped due to time constraints) +** Produce an SBOM as an artifact as part of the release process (partially complete) +** SBOM artifact on demand (in review) +** Roll up existing data (in review) +** Record and explain decisions made (in review) +* Could +** Engage with other similar projects (complete) + +Commissioning body: Sovereign Tech Agencyhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69837776.18884.c902b52>