Zero-Trust Builds for FreeBSD

The Foundation is pleased to announce that a planned project to deliver zero-trust builds has begun in January 2025. This project is a key component of the work commissioned by the Sovereign Tech Agency (STA) and is one of five initiatives that together are aimed at advancing Zero Trust builds, Software Bill of Materials (SBOM), CI/CD automation, security controls in Ports and Packages, and technical debt reduction.

The Zero-Trust Build project is scheduled from Jan-Aug 2025 and centers on the FreeBSD build process, and in particular, release building. The primary goal of this work is to enable the entire release process to run without requiring root access, and that build artifacts build reproducibly – that is, that a third party can build bit-for-bit identical artifacts.

Additionally, the project aims to enhance build process documentation, ensuring that release building is straightforward and does not require specialized knowledge. The work is targeted for completion prior to the release of FreeBSD 15.0.

Importantly, these updates will not impact users of FreeBSD release images; the images will look the same regardless of the build process.

However, organizations utilizing FreeBSD to develop products that involve modifications to the release process should anticipate some effort to integrate these changes. Specifically, if your workflow includes local patches to release/*, you may encounter merge conflicts during a git rebase at some point this year.