Merge pull request #580 from DeforaNetworks/freebsd-202602

2026/FreeBSD: import the 2026 February update

Author: kj-powell

alpha/engagements/2026/FreeBSD/update-2026-02.md

@@ -0,0 +1,77 @@
+# FreeBSD Update - February 2026
+
+## Immediate tasks
+
+This month, the execution and coordination phase continued, with progress on the
+possible integration of the pkg package manager into the base system of FreeBSD.
+
+Collaboration with the Software Bill of Materials (SBOM) initiative continued as
+well, with the following items:
+
+- Enrichment of the database contents
+- Correction of issues with the import of spdxtool into the base system
+- Assistance with the design for the generation of SBOM data in the base system
+
+The database and tooling are still found in the
+[alpha-omega-beach-cleaning](https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning)
+Git repository.
+
+Collaboration is ongoing with the Open Regulatory Compliance Working Group (ORC
+WG) as well.
+
+## Timeline
+
+The current timeline ahead of the last month remains as follows:
+
+| Phase                          | Start date | End date   | Status  |
+| ------------------------------ | ---------- | ---------- | ------- |
+| Inventory of dependencies      | 25/08/2025 | 07/09/2025 | Done    |
+| Security risk assessments      | 08/09/2025 | 21/09/2025 | Done    |
+| Propose list of priorities     | 22/09/2025 | 28/09/2025 | Done    |
+| Plan the respective actions    | 29/09/2025 | 26/10/2025 | Done    |
+| Formalize code owners          | 27/10/2025 | 30/11/2025 | Done    |
+| Integrate review methodologies |      _continuous_      ||         |
+| Plan execution & coordination  |      _continuous_      ||         |
+| Final report                   | 09/03/2026 | 30/03/2026 |         |
+
+### Task: Import spdxtool into the base system
+
+The SBOM initiative has matured and has been confirmed as a new key component,
+required in the next release of FreeBSD. The original draft pull-request offered
+for this project has been used by the SBOM initiative to validate the prototype,
+in particular regarding the granularity of the SBOM files: it is now expected to
+match the packages installed. This could still evolve, as the current
+meta-information offered in the packages may be incomplete, incorrect, or
+impossible to transcribe correctly at this level in an SBOM file.
+
+The draft pull-request was documented further
+[here](https://github.com/freebsd/freebsd-src/pull/1994#issuecomment-3896743965)
+and
+[here](https://github.com/freebsd/freebsd-src/pull/1994#issuecomment-3980704283).
+
+Further integration work is now needed before this pull-request can land into
+FreeBSD's src repository, as bomtool and spdxtool need to be built as part of
+the toolchain in addition to being shipped in the default system: they are
+necessary as native tools, even when cross-compiling. This is in addition to the
+actual handling of the SBOM meta-data, and corresponding updates to the build
+system.
+
+### Task: Import the pkg package manager into the base system
+
+After discussions between the release engineering team and developers of pkg, it
+has become clear that importing pkg into the base system is indeed the way
+forward. This is due in great part to the ongoing "pkgbase" migration from sets
+to individual packages for the installation and maintenance of the base system.
+Work has begun on this task, which is currently being planned like the current
+procedure for vendor updates.
+
+This is because the pace of development for pkg is necessarily decoupled from
+that of the base system: packages are released every 3 months, and will require
+fixes or features faster than the base system can offer them. For this reason,
+pkg will gain the capability to delegate its operation to any updated version
+installed as a package, as deemed necessary by the developers of pkg. This will
+also replace the current bootstrapping system.
+
+In practice, NetBSD already uses this mode of operation, which is believed to be
+working well there.
+