this post was submitted on 10 Mar 2026
33 points (100.0% liked)

Free and Open Source Software

22016 readers
124 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
Gaywallet@beehaw.org
alyaza@beehaw.org
33
TrueNAS build system going closed source (github.com)
submitted 18 hours ago by Ek-Hou-Van-Braai@piefed.social to c/foss@beehaw.org
8 comments fedilink hide all child comments
 

Readme updated today:

This repository is no longer actively maintained.

The TrueNAS build system previously hosted here has been moved to an internal infrastructure. This transition was necessary to meet new security requirements, including support for Secure Boot and related platform integrity features that require tighter control over the build and signing pipeline.

No further updates, pull requests, or issues will be accepted. Existing content is preserved here for historical reference only.

https://github.com/truenas/scale-build

Wondering if this is just the first step towards doing a minio in the future.

top 8 comments
sorted by: hot top controversial new old
[–] TehPers@beehaw.org 8 points 17 hours ago (3 children)

This transition was necessary to meet new security requirements, including support for Secure Boot

Secure boot is dumb, but explains why they'd need a repo to be closed source. To summarize it briefly, you need your bootloader to be signed to work at all with secure boot, which means you have two options: self-sign (which defeats the purpose, though some Linux distros let you do this if you want), or follow all the requirements imposed by Microsoft. As far as I'm aware, one of those requirements is that it must be closed source.

[–] yannic@lemmy.ca 10 points 14 hours ago* (last edited 14 hours ago) (1 children)

Pardon my ignorance, but why would something have to be closed source in order to optionally provide secure boot? Couldn't you provide the secure-boot-enabled binaries in addition to the source for everything except the boot keys?

You sign binaries, right? You don't sign source.

If anyone builds from source they would just have to go through the arduous signing process themselves.

[–] TehPers@beehaw.org 4 points 10 hours ago

why would something have to be closed source in order to optionally provide secure boot? Couldn't you provide the secure-boot-enabled binaries in addition to the source for everything except the boot keys?

This is also something I don't fully understand. Unfortunately it's not easy to find what the requirements are to get a bootloader signed by MS. It's possible I'm mixing up these requirements with requirements for something else that requires a NDA, but it's really not that simple to find the requirements online.

It's possible that the latter is actually the case and it's not secure boot that requires it to be closed source. It's also possible I'm entirely mistaken and they don't need to make it closed source at all. I wish TrueNAS would give more details why it needs to be closed source - whether it's due to a NDA or whatnot.

[–] eskuero@lemmy.fromshado.ws 11 points 17 hours ago (1 children)

Self sign doesn't defeat the purpose, you can add your own keys to your bios that you use to sign your kernel. I do that and have a secure booted Arch Linux installed.

[–] TehPers@beehaw.org 2 points 10 hours ago

Self sign doesn't defeat the purpose

The whole point of signing is that the BIOS can verify that the bootloader is legitimate. For a local Arch install, it doesn't matter because Arch doesn't distribute signed bootloaders and the environment is wholly personal. TrueNAS sells products and services though, such as enterprise-level support. It isn't just something used in home labs. Their customers may require things we do not, and secure boot support appears to be one of them.

Self-signing to work around the idiotic restrictions Microsoft imposes to get it signed would be one way to do that, but then the software is essentially acting as its own authority that it is legitimate. Customers would realistically rather the bootloader's signature is valid with the built-in key provided by MS since it means that MS is confirming its validity instead - not exactly a name I would trust, but I'm personally not a TrueNAS enterprise customer either.

[–] Ek-Hou-Van-Braai@piefed.social 11 points 17 hours ago (1 children)

I've heard others say that you can just use private keys, Debian does that.

Though I'm not very knowledgeable in this, others can hopefully clarify.

[–] TehPers@beehaw.org 1 points 10 hours ago (1 children)

You can use self-signed keys.

It's basically like saying you can trust your own certificates used by TLS on your own machine rather than going through a CA, but realistically businesses would rather use a CA.

[–] Ek-Hou-Van-Braai@piefed.social 2 points 10 hours ago

Business could then pay TrueNAS (or someone else) to handle the signing for them.

All the code can be Open-Source, the handling of they keys just obviously need to be secret.