Clean up critical infrastructure in FreeBSD

Open source infrastructure depends on more than new features. It also depends on the steady, often unseen work of identifying risks, improving processes and making systems easier to maintain over time.

This is exactly what the beach cleaning project wanted to do for FreeBSD.

This project focused on improving the security resilience of the FreeBSD base system by giving the Project better visibility into the third-party software it ships, better tools for evaluating and maintaining that software, and a stronger foundation for future work around software transparency, security, and sustainability.

Why this work matters

FreeBSD’s base system includes a wide range of third-party components. Over time, it becomes more difficult to keep track of what’s included, who maintains it, how exposed it is, and what steps need to be taken. That challenge is not unique to FreeBSD. It is one shared by many mature open source projects.

The Beach Cleaning Project tackled this challenge directly.

The result was not just an overview of what exists today. It has produced practical tools, machine-readable data, security assessments and implementation plans that will support FreeBSD development well beyond the lifetime of the project.

A Critical Early Win: OpenSSL 3.5 for FreeBSD 15.0

The project started with an urgent and high-impact task: updating OpenSSL in FreeBSDs src repository in time for the FreeBSD 15.0 release cycle. That work ensured that FreeBSD could move to OpenSSL 3.5 LTS instead of staying on OpenSSL 3.0 LTS.

This matters because OpenSSL 3.0 reaches end-of-life on September 7, 2026, while OpenSSL 3.5 is supported until April 8, 2030. Since FreeBSD 15 is expected to reach end-of-life in December 2030, the move to OpenSSL 3.5 drastically reduces the amount of time the FreeBSD community needs to maintain for more than four years. months.

Just as importantly, the work was completed on time for the FreeBSD 15.0 schedule and included build validation across supported architectures, legacy architecture testing, and coordination for broader testing.

Build a clearer picture of the base system

Another important outcome of the project was the creation of a machine-readable inventory of software in the FreeBSD base system.

Using new tools developed during the project, the team built a YAML-based database that supports reporting on maintainers, components, security review, planning and the generation of software materials. By the end of the project, that database included more than 1,000 different components, including 73 imported from third-party projects.

This is the kind of work that makes future maintenance easier. Instead of relying on incomplete or outdated lists, FreeBSD now has a stronger foundation for understanding what’s in the base system and how those pieces relate to security, ownership, and release engineering.

Turn visibility into action

Inventory alone is not enough. The project also developed a structured way to assess security risk across third-party software in the base system.

Components were evaluated based on factors such as impact on building infrastructure, operating system integrity, network exposure, authentication and user-facing functionality. This helped identify the most critical areas for attention and guided discussions with FreeBSD’s release engineering, security response, and source management teams.

From those discussions came a practical set of priorities, including support for SBOM generation through SPDX tools, import pkg to the base system as FreeBSD moves further into pkgbase, and improves the tools around code ownership and maintenance.

Better tools for a healthier project

One of the strongest outcomes of the Beach Cleanup Project is that it didn’t stop at analysis. It has produced real tools that can continue to deliver value.

The project added support for generating CODEOWNERS-style reports, which helped replace outdated and incomplete maintainer information with something more useful and machine-readable. It also created tools to generate SBOM data in SPDX 2 and SPDX 3 formats, report on dependencies, assess security exposure, and identify maintainers for different parts of the tree.

Additional automation was developed to track component versions and restore deliverables by testing workflows, making the job easier to maintain and extend over time.

The foundation is laid for what comes next

Some of the implementation work has progressed significantly during the project, even if it is not yet fully completed.

This includes preparation for import pkgconf components required for SBOM generation and ongoing work related to imports pkg in the base system as part of the broader pkgbase transition. In both cases, the project helped move concepts into proven, reviewable work that can continue forward.

This is an important part of work like this. It is not just about preparing a final report. It is also about making the next step easier for the Project and for future contributors. In that sense, the Beach Cleanup Project has already had an impact by helping FreeBSD align priorities, improve coordination, and build a stronger path for future security and maintenance work.

Why it is important than FreeBSD

Projects across open source deal with many of the same questions about security, software composition, traceability, and long-term sustainability.

What makes this work especially valuable is that it provides a practical example of how to approach those challenges: start with visibility, build better data and tools, identify priorities, and create processes that make long-term maintenance more manageable. The deliverables of this project are part of that bigger story.

Thanks to Alpha-Omega

We are grateful to Alpha-Omega for supporting this work. Funding efforts like this help enable important maintenance and security work, even when it’s not the most visible part of open source development.

This project helped lay important groundwork for FreeBSD’s future, and we’re excited to see the work continue.

— Contributed by Pierre Pronchery and Anne Dickison