[continued from previous message]
regularly until at least the end of 2025 to ensure that we understand the value
of the project going forward.
The scope was co-created with srcmgr@. Work items are as follows:
• Create a dashboard for the Source Management team to get a clearer
picture
of the bug backlog, and how effectively it is being managed (e.g. Time to
First Attention for new bugs).
□ Output: https://grimoire.freebsd.org/
• Upgrade Bugzilla to a supported release to improve security and benefit
from new functionality.
□ Output: https://wiki.freebsd.org/Bugzilla/Roadmap
• Create a method for applying patches automatically.
□ Output: https://github.com/linimon/patchQA
• Creating upstream documentation for running GrimoireLab (bug dashboard)
on
FreeBSD.
□ Output: https://github.com/chaoss/grimoirelab/blob/main/FreeBSD.md
Work Package B: Zero Trust Builds
This work package intends to improve tooling and processes to support Zero
Trust Builds of FreeBSD by extending the current components to enable the
project to build release artifacts (package sets, ISO images, etc.) without
requiring any special privilege.
The detailed scope was co-created with core@, srcmgr@, secteam@. Work items are
as follows:
• Must
□ No-root for all source release build cases/artifacts (complete)
□ Src artifacts to build reproducibly (in progress)
□ Formalize and document make world and release.sh (in review)
• Should
□ Remove privilege from orchestration tooling (not started)
□ Move build scripts into the public repository (in progress)
□ Address dependencies (in progress)
• Could
□ Environment Standardization (in progress)
□ Ports to build reproducibly (in progress)
□ CI to verify reproducibility (in progress)
□ Documentation to allow 3rd parties to confirm reproducibility (not
started)
Work Package C: CI/CD Automation
This work package intends to improve CI/CD automation to streamline software
delivery and operations for new and existing software by modernizing and
securitizing the existing CI/CD system and extending it to cover the third
party packages in the FreeBSD Ports Collection.
The detailed scope was co-created with core@, srcmgr@, portmgr@, doceng@ * Must
Improve quality of incoming commits (completed) Pre-merge CI (completed)
Environment Metadata (in progress) Extend CI to the Ports tree (in progress) CI
Threat Model (in progress) CI Management Process (in progress) Documentation
(not started) * Should 3rd-party Interoperability (in progress) Automated
analysis in tests (in progress) Test Case Management (in progress) * Could **
Granular Debugging (in progress)
Work Package D: Ports and Packages security improvements
This work package intends to modernize and extend security controls in the
FreeBSD Ports and Package Collection by: Migrating from our VuXML Vulnerability
Database to OSV or similar contemporary format; developing a package audit
backend and server to reliably fetch vulnerability data from global agency
databases in any format (JSON - NIST) and produce insight and; improving CI
tooling for FreeBSD Ports.
The detailed scope was co-created with core@, portmgr@, pkgmgr@, secteam@
• Must
□ New Database Format (in progress)
□ Set up 2+ Database Instances (not started)
□ Migrate Data from old to new database (in progress)
□ Add support for new format in pkg(8) (in progress)
□ Upstream engagement (in progress)
□ SBOM on demand (not started)
□ Document how to set up build and test targets (not started)
□ Integrate 3rd party test targets (not started)
□ Continuous Testing (not started)
• Could
□ Make CI artifacts available (not started)
Work Package E: SBOM improvements
This work package intends to improve existing, and implement new, tooling and
processes for FreeBSD Software Bill of Materials (SBOM) by implementing:
tooling to roll up the individual provenance data/markers from across the tree
into a higher-level view; developing tooling to parse/review/inspect the
FreeBSD source tree and produce a comprehensive/holistic report to act as a
SBOM for the full software stack and; extending pkg to enable this capability
for software installed from ports/packages.
The detailed scope was co-created with core@, portmgr@, pkgmgr@, secteam@,
releng@
• Must
□ Evaluate projects/solutions available in the wider ecosystem (in
progress)
□ Propose the target solution for SBOM (in progress)
□ Produce an SBOM in CI (e.g. weekly builds) (in progress)
□ Produce an SBOM as an artifact as part of the release process (in
progress)
□ SBOM artifact on demand (in progress)
□ Roll up existing data (in progress)
□ Record and explain decisions made (in progress)
• Could
□ Engage with other similar projects (in progress)
Commissioning body: Sovereign Tech Agency
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Alpha-Omega Beach Cleaning project
Links:
Alpha-Omega — Linux Foundation Project URL: https://alpha-omega.dev
Alpha-Omega on GitHub URL: https://github.com/ossf/alpha-omega
FreeBSD Foundation URL: https://freebsdfoundation.org
Project repository from the FreeBSD Foundation URL:
https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning
Contact: Pierre Pronchery
Alpha-Omega’s mission is to catalyze sustainable security improvements to
critical open source projects and ecosystems. After a successful project with
the FreeBSD Foundation in 2024 — auditing the bhyve hypervisor and the
Capsicum
sandboxing framework — Alpha-Omega has selected FreeBSD again, for the
Alpha
Omega Beach Cleaning project this time. This new grant consists in generally
improving the security and maintenance of third-party software within the
FreeBSD base system. The FreeBSD Foundation received the grant and is managing
and executing the project.
The list of tasks has been determined as follows:
• Inventory of dependencies
• Security risk assessments
• Propose list of priorities
• Plan the respective actions
• Formalize code owners
• Integrate review methodologies
• Plan execution & coordination
• Final report
The first deliverables have been issued on the dedicated GitHub repository:
• Machine-readable database
• List of dependencies
• Security risk assessments
Help is welcome to complete the information collected, and to improve on any
other aspect of the project!
Finally, monthly reporting is submitted and available on GitHub.
Sponsor: Alpha-Omega, The FreeBSD Foundation
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
STA Work Package C: CI/CD Automation
Contact: Siva Mahadevan
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
