April 20, 2026
Open source infrastructure depends on more than new features. It also depends on the steady, often unseen work of identifying risks, improving processes, and making systems easier to maintain over time.
That is exactly what the Beach Cleaning Project set out to do for FreeBSD. 
This project focused on improving the security resilience of the FreeBSD base system by giving the Project better visibility into the third-party software it ships, better tools for evaluating and maintaining that software, and a stronger foundation for future work around software transparency, security, and sustainability.
Why this work mattered
FreeBSD’s base system includes a wide range of third-party components. Over time, keeping track of what is included, who maintains it, how exposed it is, and what action should be taken becomes more difficult. That challenge is not unique to FreeBSD. It is one shared by many mature open source projects.
The Beach Cleaning Project tackled that challenge directly.
The result was not just a review of what exists today. It produced practical tooling, machine-readable data, security assessments, and implementation plans that will continue to support FreeBSD development well beyond the life of the project.
A critical early win: OpenSSL 3.5 for FreeBSD 15.0
The project began with an urgent and high-impact task: updating OpenSSL in FreeBSD’s src repository in time for the FreeBSD 15.0 release cycle. That work ensured FreeBSD could move to OpenSSL 3.5 LTS instead of remaining on OpenSSL 3.0 LTS.
That matters because OpenSSL 3.0 reaches end of life on September 7, 2026, while OpenSSL 3.5 is supported until April 8, 2030. Since FreeBSD 15 is expected to reach end of life in December 2030, moving to OpenSSL 3.5 dramatically reduces the amount of time the FreeBSD community would need to maintain its own unsupported fork, from more than four years to roughly eight months.
Just as important, the work was completed in time for the FreeBSD 15.0 schedule and included build validation across supported architectures, legacy architecture testing, and coordination for broader testing.
Building a clearer picture of the base system
Another major outcome of the project was the creation of a machine-readable inventory of software in the FreeBSD base system.
Using new tooling developed during the project, the team built a YAML-based database that supports reporting on maintainers, components, security review, planning, and Software Bill of Materials generation. By the end of the project, that database included more than 1,000 distinct components, including 73 imported from third-party projects.
This is the kind of work that makes future maintenance easier. Instead of relying on incomplete or outdated lists, FreeBSD now has a stronger foundation for understanding what is in the base system and how those pieces relate to security, ownership, and release engineering.
Turning visibility into action
Inventory alone is not enough. The project also developed a structured way to assess security risk across third-party software in the base system.
Components were evaluated based on factors like impact on build infrastructure, operating system integrity, network exposure, authentication, and user-facing functionality. That helped identify the most critical areas for attention and guided conversations with FreeBSD’s release engineering, security response, and source management teams.
From those conversations came a practical set of priorities, including support for SBOM generation through SPDX tooling, importing pkg into the base system as FreeBSD moves further into pkgbase, and improving tooling around code ownership and maintenance.
Better tooling for a healthier project
One of the strongest outcomes of the Beach Cleaning Project is that it did not stop at analysis. It produced real tooling that can keep delivering value.
The project added support for generating CODEOWNERS-style reports, helping replace stale and incomplete maintainer information with something more useful and machine-readable. It also created tooling to generate SBOM data in SPDX 2 and SPDX 3 formats, report on dependencies, evaluate security exposure, and identify maintainers for different parts of the tree.
Additional automation was developed to track component versions and regenerate deliverables through testing workflows, making the work easier to maintain and extend over time.
Laying groundwork for what comes next
Some of the implementation work advanced significantly during the project, even if it is not yet fully complete.
That includes preparation for importing pkgconf components needed for SBOM generation and ongoing work related to importing pkg into the base system as part of the broader pkgbase transition. In both cases, the project helped move concepts into tested, reviewable work that can continue forward.
That is an important part of work like this. It is not only about producing a final report. It is also about making the next step easier for the Project and for future contributors. In that sense, the Beach Cleaning Project has already had an impact by helping FreeBSD align priorities, improve coordination, and build a stronger path for future security and maintenance work.
Why this matters beyond FreeBSD
Projects across open source are dealing with many of the same questions around security, software composition, traceability, and long-term sustainability.
What makes this work especially valuable is that it offers a practical example of how to approach those challenges: start with visibility, build better data and tooling, identify priorities, and create processes that make long-term maintenance more manageable. The deliverables from this project are part of that larger story.
Thank you to Alpha-Omega
We are thankful to Alpha-Omega for supporting this work. Funding efforts like this help make important maintenance and security work possible, even when it is not the most visible part of open source development.
This project helped lay important groundwork for FreeBSD’s future, and we are excited to see that work continue.
— Contributed By Pierre Pronchery and Anne Dickison