[continued from previous message]
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Security engineering at the FreeBSD Foundation
Links:
FreeBSD Foundation Releases Bhyve and Capsicum Security Audit Funded by
Alpha-Omega Project URL: https://freebsdfoundation.org/news-and-
vents/latest-news/
freebsd-foundation-releases-bhyve-and-capsicum-security-audit-fu
ded-by-alpha-omega-project
/
How FreeBSD security audits have improved our security culture URL:
https://fosdem.org/2025/schedule/event/fosdem-2025-6152-how-free
sd-security-audits-have-improved-our-security-culture
/
Home of the ORC WG URL: https://github.com/orcwg/orcwg
FreeBSD Foundation: Contact Us URL: https://freebsdfoundation.or
/about-us/contact-us/
Open Source Vulnerability schema (OSV Schema) URL: https://opens
f.org/projects/osv-schema/
ossf/osv-schema tools: import a conversion tool to and from VuXML (#237) URL:
https://github.com/ossf/osv-schema/pull/237
Contact: Pierre Pronchery
My tasks at the FreeBSD Foundation continue to revolve around Security
Engineering for the FreeBSD Project.
First, we keep working on the outcome of the source code audit on bhyve and
Capsicum, documenting and researching how to prevent and mitigate similar
issues from occurring again in the future. This includes the processes relevant
for contributions to the FreeBSD Project, as well as the preparation of a joint
presentation with Alpha-Omega at the BSD Devroom during the coming FOSDEM
conference in 2025.
At the same time, I am liaising with the Open Regulatory Compliance Working
Group (ORC WG), where an FAQ is being elaborated jointly by a number of
stakeholders on the European Union’s newly introduced Cyber Resilience Act
(CRA). This is all related to our ongoing collaboration with OpenSSF, notably
the self-assessment initiative; note that the FreeBSD Foundation can provide
assistance in this regard for projects deploying FreeBSD.
Finally, possibilities around the integration of OSV tooling into the FreeBSD
ecosystem are under investigation as well.
Sponsored by: The FreeBSD Foundation
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Security Audits
Contact: Ed Maste
Contact: Alice Sowerby
The project began in Q2 of 2024 and was funded by Alpha Omega with a budget of
$137,500, which was used over about six months and is now complete. The focus
was on conducting a code audit for key subsystems, bhyve and Capsicum, as well
as performing a security audit of the development process. The funds were used
to hire a specialist offensive security firm to perform the code audit, to
contract developers to address issues found, and for Foundation staff’s work
on
both audits.
Q4 update
The project is complete.
The Code Audit and subsequent reports were released after the related Security
Advisories were published.
The Process Audit is complete. It was created by FreeBSD Foundation staff who
ran an outreach exercise to gather information about the current FreeBSD
development process. The teams consulted were: Security Team, Source Management
Team, Cluster Administrators, Release Engineering Team.
Information was gathered through an online long-form survey which was
structured around existing frameworks for analysing security in software
development. Teams were asked to describe current development processes and
appraise the current security practices, as well as to make suggestions for
improvements.
The responses were collated and synthesised into the report by Foundation
staff. The report was reviewed for accuracy by the original respondents.
The report will now be made available to the Security Team and other teams
previously mentioned, as well as to the Foundation executive team. This will be
a useful tool in identifying areas for investment and prioritisation going
forward as more security projects are planned and funded.
The report is intended primarily for FreeBSD Project and Foundation planning
purposes and as such there is no plan to promote it to an external audience.
Interested readers should contact the Security Team to request a copy of the
report.
To learn about the project, and to see historical monthly updates visit:
https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD.
Sponsor: Alpha Omega Project
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Framework Laptop support
Links:
Framework Laptop page on FreeBSD Wiki URL: https://wiki.freebsd.
rg/Laptops/Framework_Laptop/
Guide on installing and using FreeBSD on Framework systems URL:
https://github.com/FrameworkComputer/freebsd-on-framework
Tracking ticket: Framework Laptop: Feature support, bugs and improvements URL:
https://bugs.freebsd.org/262152
Contact: Daniel Schaefer
Contact: Li-Wen Hsu
Contact: Sheng-Yi Hong
For a long time, Framework Laptop Inc is friendly to the FreeBSD project in
many aspects, including providing engineering samples to Foundation for testing
and working on support.
Since 2024 summer, there are several small hackathons in Framework’s Taipei
office on testing FreeBSD on different models of Framework laptop, and the
peripheral devices.
Sheng-Yi is using the laptop provided by Framework Computer to add more device
support, e.g. d3b05d0ea10a: Add smbus and i2c device IDs for Meteor Lake.
Daniel from Framework Computer Inc started a repository under Framework
Computer’s GitHub organization to keep the notes of installation and
miscellaneous information. He fixed fingerprint readers (libfprint) not just
for Framework, but in general on FreeBSD. And working on the support and fix to
many related drivers on FreeBSD.
In November, Foundation people and some FreeBSD developers visited
Framework’s
San Francisco office and had a meeting for checking the current FreeBSD support
status and discussing the possible future collaboration plans.
Foundation will continue working on improving the general laptop support and
using Framework as one of the target platforms for the Laptop Support and
Usability Project.
Sponsor: The FreeBSD Foundation for Li-Wen’s work
Sponsor: Framework Computer Inc for Daniel’s work, hardware and space support
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Userland
Changes affecting the base system and programs in it.
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
PkgBase-motivated improvements to pkg
[continued in next message]
--- SoupGate-DOS v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
