diff --git a/website/content/en/status/report-2025-10-2025-12/alpha-omega-beach-cleaning.adoc b/website/content/en/status/report-2025-10-2025-12/alpha-omega-beach-cleaning.adoc new file mode 100644 index 0000000000..fffcd8ebfd --- /dev/null +++ b/website/content/en/status/report-2025-10-2025-12/alpha-omega-beach-cleaning.adoc @@ -0,0 +1,53 @@ +=== Alpha-Omega Beach Cleaning project + +Links: + +link:https://alpha-omega.dev[Alpha-Omega -- Linux Foundation Project] URL: link:https://alpha-omega.dev[] + +link:https://github.com/ossf/alpha-omega[Alpha-Omega on GitHub] URL: link:https://github.com/ossf/alpha-omega[] + +link:https://freebsdfoundation.org[FreeBSD Foundation] URL: link:https://freebsdfoundation.org[] + +link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning[Project repository from the FreeBSD Foundation] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning[] + +Contact: Pierre Pronchery + +Alpha-Omega's mission is to catalyze sustainable security improvements to critical open source projects and ecosystems. +After a successful project with the FreeBSD Foundation in 2024 -- auditing the bhyve hypervisor and the Capsicum sandboxing framework -- Alpha-Omega has selected FreeBSD again, for the Alpha Omega Beach Cleaning project this time. +This new grant consists in generally improving the security and maintenance of third-party software within the FreeBSD base system. +The FreeBSD Foundation received the grant and is managing and executing the project. + +Since the previous report from 2025Q3, the following tasks have been completed: + +* Inventory of dependencies +* Security risk assessments +* Propose list of priorities +* Plan the respective actions +* Formalize code owners + +A global database file contains the information collected for the project, in collaboration with the SBOM initiative sponsored by Germany's Sovereign Tech Agency. +Its structure has also been simplified in the past few months, but remains in the YAML format. +It is available like before as link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/database.yml[database.yml]. + +The aobc-generate Go program in the repository has been renamed to aobc-tool. +In addition to the previous deliverables, it is now able to generate a collection of SBOM files. +This is performed through intermediate files in the pkg-config format, which are then converted into SPDX thanks to the bomtool program from the pkgconf project: + +* link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/pkgconfig[pkgconfig files] +* link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/spdx[SPDX files] + +This information includes the respective code owners identified for each third-party component. +The aobc-tool program is also able to suggest the known code owners for a given part of the source tree. +All of the code owners listed have been contacted in December 2025 to inform them about the project, and to confirm their association with the component. + +The feedback collected so far has only been positive, including a suggestion to package the tool into the FreeBSD ports. +However, it seems more relevant as of now to rewrite the tool in a way suitable for inclusion into the base system, e.g., in Lua. + +Finally, the remaining tasks will be performed until the end of the first quarter of 2026: + +* Integrate review methodologies +* Plan execution & coordination +* Final report + +This initiative was presented to the srcmgr committee in November. +Their input and feedback will be taken into account through this last phase of the project. + +Monthly reporting is submitted to alpha-omega and available as before on GitHub link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2025/FreeBSD[for 2025] and soon link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2026/FreeBSD[for 2026] as well. + +Sponsor: Alpha-Omega, The FreeBSD Foundation