heise PlusAbo
Anzeige

FreeBSD shortly before 15.0: Trust is good, reproducibility is better

For FreeBSD 15, coming in December, the developers have implemented Zero-Trust Builds and Reproducible Builds.

listen Print view
FreeBSD logo with zeros and ones

(Image: Profit_Image/Shutterstock.com)

3 min. read
iX Magazin
By
  • Michael Plura
Contents

In the wake of growing supply chain attacks, the FreeBSD developers are relying on a transparent build concept in the form of Zero-Trust Builds. The approach builds on the established Reproducible Builds, where binary files can be rebuilt bit-for-bit from the published source code. While reproducible builds primarily ensure verifiability, the zero-trust model goes a step further and removes trust from the build process itself. No single server, maintainer, or compiler can be considered more than potentially trustworthy.

Instead, independent, deterministic build environments generate the same artifacts, whose consistency is cryptographically verified. Manipulations in the build process or the toolchain would thus be immediately apparent. This creates a consistently verifiable production process in which manipulations in toolchains, CI systems, or signing processes become recognizable. This is a consistent step towards a software world in which security is not based on trust undermined by governments and intelligence agencies, but on dry verifiability.

Astonishing: Plenty of money from the German government

At the end of 2024, the FreeBSD Foundation received from the Sovereign Tech Agency a hefty 686,400 EUR for the modernization of the infrastructure. The funding agency, founded in October 2022, is financed by the Federal Ministry for Economic Affairs and Energy. Currently, it is a subsidiary of the Federal Agency for Disruptive Innovations, SPRIND GmbH. One of the sub-projects to be financed by the financial injection is the aforementioned "Zero Trust & Reproducible Builds".

Videos by heise

Slightly delayed, but ready for FreeBSD 15

In January 2025, the FreeBSD Foundation announced to implement both technologies by August. In particular, the build process for upcoming FreeBSD releases should thus lead to reproducible and verifiable binary files without root access. The goal has now been achieved with a slight delay and can be used in the current development branch for FreeBSD 15.

This makes the ISO images required for installation on USB sticks and CD/DVDs, the images for virtual machines, and the cloud images for deployment in AWS, Azure, and so on independently verifiable. This includes the elimination or normalization of timestamps so that builds deliver identical results regardless of the creation time.

Equally important is reproducible sorting of file lists, package metadata, and similar structures to avoid random differences. Furthermore, the build environments remain consistent, including debug paths, locale settings, and other environment parameters. The tools used, such as the mkimg(1) utility responsible for generating file system images, are also extended to support reproducible artifacts natively.

FreeBSD follows GNU/Linux and NetBSD with its approach

It was also time for FreeBSD to support this security aspect, which GNU/Linux and even NetBSD have been offering for years. There is no statement from OpenBSD, which is consistently focused on security, but it seems not to be an issue for the developers. There, they experiment with other techniques such as partially conscious variability through, for example, kernel and library randomization. Deterministic builds somewhat contradict this concept.

(vbr)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten