By Pierre Pronchery, Security Engineer at the FreeBSD Foundation
Last year, Alpha-Omega supported the FreeBSD Project with a security audit for two critical components: the bhyve hypervisor, and the Capsicum sandboxing technology. This was effectively coordinated by the FreeBSD Foundation, including the handling and disclosure of the security vulnerabilities found and fixed during the project.
Again this year, the FreeBSD Foundation has been granted a project from Alpha-Omega, with a broader scope: improving the security and maintenance of third-party software within the FreeBSD base system. This is part of the “Beach Cleaning” initiative of Alpha-Omega.
This initiative provided an opportunity to solve a critical task right from the start. When FreeBSD 14.0 was released in 2023 with OpenSSL 3.0, it benefitted from the Long Term Support (LTS) status designated for this branch; but this support expires in September 2026. Luckily, the latest stable branch of OpenSSL, 3.5, had just been designated as LTS as well. With FreeBSD 15.0 approaching, it only made sense to import that release into the base system, and benefit from its Long Term Support status until April 2030.
We achieved exactly this, just on time for the release schedule of FreeBSD. With this behind us, we could plan the next steps of the project with a more structured approach: creating the inventory, assessing the respective security risks, deciding on the priorities, and agreeing on a list of actions.
These four tasks have been executed so that their results can be exploited programmatically. In practice, Alpha-Omega expressed a strong preference for machine-readable outputs for the deliverables, and this property enabled another opportunity. It allowed for mutually beneficial collaboration with a different initiative: the elaboration of Software Bill of Material (SBOM) files for the base system.
Indeed, collecting the list of dependencies, complete with licensing and version information, is exactly what is needed for this other task. After converting the collection into the YAML file format, it was possible to generate files in the pkg-config format for each dependency, and then to leverage a program called bomtool to generate SPDX files. This side-quest is still in progress, for which we keep enriching and correcting the information collected for more accurate results.
Meanwhile, the data collected so far has been communicated internally to the Security Team (secteam@) and the Source Management team (srcmgr@) for coordination and decisions regarding the actions to be performed. While the exact list has not been determined yet, we can expect them to include:
- Formalizing the respective ownership.
- Integrating more test suites into FreeBSD.
- Improving tracking of changes and advisories upstream.
Before concluding this post, I would like to mention some facts and observations on the list of dependencies, aligning with the “Fix/Fork/Forego” mantra of the project:
- Some of them can effectively be considered as forks already, having no active or matching upstream anymore.
- Some dependencies are maintained externally but by active, official developers of the FreeBSD Project, and effectively developed very closely to the project.
- Interestingly, some dependencies exist in practice but live outside of the source tree, even as critical as the package management tool (pkg) and the source code management tool (Git) and may end up being imported into the base system at a later stage.
This grant is coordinated by Pierre Pronchery on behalf of the FreeBSD Foundation. He is in charge of the corresponding repository on GitHub. Contributions are welcome!
Author Bio
Pierre Pronchery is a Security Engineer at the FreeBSD Foundation.
Pierre installed his first FreeBSD system back in 2001, while studying the possibilities of different open source Operating Systems available. Passionate about their design & implementation, he gradually focused on NetBSD since 2005, eventually becoming a NetBSD developer in 2012 and serving on the Board of Directors for the NetBSD Foundation since 2017. He is now a FreeBSD developer as well.
