=== Alpha-Omega Beach Cleaning project Links: + link:https://alpha-omega.dev[Alpha-Omega -- Linux Foundation Project] URL: link:https://alpha-omega.dev[] + link:https://github.com/ossf/alpha-omega[Alpha-Omega on GitHub] URL: link:https://github.com/ossf/alpha-omega[] + link:https://freebsdfoundation.org[FreeBSD Foundation] URL: link:https://freebsdfoundation.org[] + link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning[Project repository from the FreeBSD Foundation] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning[] Contact: Pierre Pronchery Alpha-Omega's mission is to catalyze sustainable security improvements to critical open source projects and ecosystems. After a successful project with the FreeBSD Foundation in 2024 -- auditing the bhyve hypervisor and the Capsicum sandboxing framework -- Alpha-Omega has selected FreeBSD again, for the Alpha Omega Beach Cleaning project this time. This new grant consists in generally improving the security and maintenance of third-party software within the FreeBSD base system. The FreeBSD Foundation received the grant and is managing and executing the project. Since the previous report from 2025Q3, the following tasks have been completed: * Inventory of dependencies * Security risk assessments * Propose list of priorities * Plan the respective actions * Formalize code owners A global database file contains the information collected for the project, in collaboration with the SBOM initiative sponsored by Germany's Sovereign Tech Agency. Its structure has also been simplified in the past few months, but remains in the YAML format. It is available like before as link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/database.yml[database.yml]. The aobc-generate Go program in the repository has been renamed to aobc-tool. In addition to the previous deliverables, it is now able to generate a collection of SBOM files. This is performed through intermediate files in the pkg-config format, which are then converted into SPDX thanks to the bomtool program from the pkgconf project: * link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/pkgconfig[pkgconfig files] * link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/main/spdx[SPDX files] This information includes the respective code owners identified for each third-party component. The aobc-tool program is also able to suggest the known code owners for a given part of the source tree. All of the code owners listed have been contacted in December 2025 to inform them about the project, and to confirm their association with the component. The feedback collected so far has only been positive, including a suggestion to package the tool into the FreeBSD ports. However, it seems more relevant as of now to rewrite the tool in a way suitable for inclusion into the base system, e.g., in Lua. Finally, the remaining tasks will be performed until the end of the first quarter of 2026: * Integrate review methodologies * Plan execution & coordination * Final report This initiative was presented to the srcmgr committee in November. Their input and feedback will be taken into account through this last phase of the project. Monthly reporting is submitted to alpha-omega and available as before on GitHub link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2025/FreeBSD[for 2025] and soon link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2026/FreeBSD[for 2026] as well. Sponsor: Alpha-Omega, The FreeBSD Foundation