F
Florine Kamdem
Guest
Original article here.
Consider this when replying.
In 2024 The Sovereign Tech Agency commissioned an ambitious body of work to strengthen and modernize the infrastructure that FreeBSD contributors depend on.
The program of work totaling €686,400 was managed by the FreeBSD Foundation and has run from August 2024 to December 2025.
The main goals of the program were to accelerate planned work to deliver zero trust builds, SBOM and security tooling, and improve developer experience.
As the project nears completion, some of the key work delivered is:
FreeBSD now builds reproducibly and without root privilege.
The FreeBSD Foundation has completed work enabling FreeBSD builds without requiring root privileges. All release artifacts (ISO images, USB memstick images, VM images, and cloud disk images) can now be created without elevated access, reducing security risks from device file creation, ownership changes, and filesystem mounting during builds.
Alongside no-root support, FreeBSD introduced reproducible builds ensuring identical sources produce identical binaries. This involved normalizing timestamps, stabilizing file ordering, and creating consistent build environments. These improvements strengthen supply chain integrity, enable unprivileged container-based CI systems, and allow contributors to build complete releases locally, making FreeBSD management faster, more secure, and transparent.
A package of changes to CI tooling will improve the development workflow by enabling developers to test code changes before merging and extending automated testing to the Ports tree. This will make debugging easier by providing better test metadata, automated code analysis, and notifications to code owners when issues arise.
Tooling will soon* be available which:
Also, part of the project:
* This work has been sitting behind 15.0 release and will take a little longer to deliver.
The Foundation worked with the Source Manager team to specify and create an analytics dashboard to gather insights from across the different tools containing information about bugs and technical debt. This was combined with a focus in the community on “bugbusting” sessions, some Bugzilla upgrades, and related new tooling to apply patches automatically. The changes have meant that there has been a sustained improvement in bug management. Over the last year the rate of closing bugs has been higher than the rate of bugs being raised.
Changes have been made to support FreeBSD’s adoption of the emerging OSV (Open Source Vulnerability) format for its vulnerability data. This standardization makes it easier for downstream users to access and process security information using existing ecosystem tools, while also simplifying imports of vulnerability data from FreeBSD’s third-party components.
An OSV database for FreeBSD has been created, and OSV parsing capability has been added to pkg. Conversion tools are also available to transform existing VuXML data to OSV, with CI to automatically validate the output. pkg audit can also now handle OSV data.
FreeBSD was also added to the upstream OSV schema to allow 3rd-party tooling to be updated to correctly handle FreeBSD OSV data.
Foundational tooling to generate SBOMs for FreeBSD has been created by consolidating scattered provenance data into unified reports. The Ports tree implementation is mature and ready for review, while Base system SBOM generation remains in technical preview due to its complex build system. A follow-on project in early 2026 will build on this groundwork to deliver production-ready SBOM capabilities across the entire FreeBSD stack.
The post Infrastructure Modernization – commissioned by the Sovereign Tech Agency first appeared on FreeBSD Foundation.
Continue reading...
Consider this when replying.
In 2024 The Sovereign Tech Agency commissioned an ambitious body of work to strengthen and modernize the infrastructure that FreeBSD contributors depend on.
The program of work totaling €686,400 was managed by the FreeBSD Foundation and has run from August 2024 to December 2025.
The main goals of the program were to accelerate planned work to deliver zero trust builds, SBOM and security tooling, and improve developer experience.
As the project nears completion, some of the key work delivered is:
Zero Trust Builds
FreeBSD now builds reproducibly and without root privilege.
The FreeBSD Foundation has completed work enabling FreeBSD builds without requiring root privileges. All release artifacts (ISO images, USB memstick images, VM images, and cloud disk images) can now be created without elevated access, reducing security risks from device file creation, ownership changes, and filesystem mounting during builds.
Alongside no-root support, FreeBSD introduced reproducible builds ensuring identical sources produce identical binaries. This involved normalizing timestamps, stabilizing file ordering, and creating consistent build environments. These improvements strengthen supply chain integrity, enable unprivileged container-based CI systems, and allow contributors to build complete releases locally, making FreeBSD management faster, more secure, and transparent.
CI/CD Automation
A package of changes to CI tooling will improve the development workflow by enabling developers to test code changes before merging and extending automated testing to the Ports tree. This will make debugging easier by providing better test metadata, automated code analysis, and notifications to code owners when issues arise.
Tooling will soon* be available which:
- Extends CI to the Ports tree
- Gives developers the ability to run CI (locally or in the cloud) on their proposed source code changes before they are merged into main.
- Collects test environment metadata to help with reproducing bugs.
- Supports running CI in 3rd party services.
- Provides automated code analysis as part of CI.
- Notifies code owners when a test fails and provides details about related code changes.
Also, part of the project:
- Automated updates to keep CI tooling up-to-date.
- A CI threat model to support future security planning.
* This work has been sitting behind 15.0 release and will take a little longer to deliver.
Reduce Technical Debt
The Foundation worked with the Source Manager team to specify and create an analytics dashboard to gather insights from across the different tools containing information about bugs and technical debt. This was combined with a focus in the community on “bugbusting” sessions, some Bugzilla upgrades, and related new tooling to apply patches automatically. The changes have meant that there has been a sustained improvement in bug management. Over the last year the rate of closing bugs has been higher than the rate of bugs being raised.
Security Controls
Changes have been made to support FreeBSD’s adoption of the emerging OSV (Open Source Vulnerability) format for its vulnerability data. This standardization makes it easier for downstream users to access and process security information using existing ecosystem tools, while also simplifying imports of vulnerability data from FreeBSD’s third-party components.
An OSV database for FreeBSD has been created, and OSV parsing capability has been added to pkg. Conversion tools are also available to transform existing VuXML data to OSV, with CI to automatically validate the output. pkg audit can also now handle OSV data.
FreeBSD was also added to the upstream OSV schema to allow 3rd-party tooling to be updated to correctly handle FreeBSD OSV data.
SBOM Improvements
Foundational tooling to generate SBOMs for FreeBSD has been created by consolidating scattered provenance data into unified reports. The Ports tree implementation is mature and ready for review, while Base system SBOM generation remains in technical preview due to its complex build system. A follow-on project in early 2026 will build on this groundwork to deliver production-ready SBOM capabilities across the entire FreeBSD stack.
The post Infrastructure Modernization – commissioned by the Sovereign Tech Agency first appeared on FreeBSD Foundation.
Continue reading...