FreeBSD 15.0 Arrives: New 4-Year Lifecycle, pkgbase Updates, and Massive ZFS/Jail Upgrades
Nearly two years after the debut of the 14.0 branch, the FreeBSD project has unveiled a major new release — FreeBSD 15.0. Installation images are already available for amd64, aarch64, armv7, powerpc64, powerpc64le, and riscv64, alongside virtualization-ready formats such as QCOW2, VHD, VMDK, and raw. Cloud images have also been prepared for environments including Amazon EC2, Google Compute Engine, and Vagrant.
At the same time, the project has revised its lifecycle policy. Beginning with the 15 branch, the support period for major branches after the initial release (15.0) is reduced from five years to four, and major branches will now appear on a two-year cadence. Intermediate point releases (15.1, 15.2, 15.3) are expected approximately every six months. With two branches supported concurrently, a new release will arrive roughly every three months — 15.4, 16.1, 15.5, 16.2, and so on — with a half-year pause before each new “round” release such as 16.0. The release notes summarize not only the innovations of 15.0, but also the changes previously introduced in 14.1, 14.2, and 14.3.
One of the defining shifts in 15.0 concerns the servicing model of the base system. Components of the base may now be installed and updated through the pkg package manager: so-called pkgbase packages can reside on install media for offline installation or be fetched from the pkg.freebsd.org repository. In the pkg configuration (/etc/pkg/FreeBSD.conf), the FreeBSD-base repository is disabled by default, though this new method is already the default for VM and cloud images and is considered experimental for standard installations. The bsdinstall installer now offers two installation modes: the traditional monolithic base with freebsd-update, and a new split-package approach.
A major advance has also been made in securing the build chain. FreeBSD 15.0 can be built entirely in unprivileged environments, without root permissions; even installation ISOs and VM images can be produced without elevated rights. In parallel, reproducible builds are now supported: the binaries are deterministic and can be verified against their sources, reducing the risk of covert tampering.
The architectural lineup has been updated as well. The project has ended the production of installation images and binary repositories for 32-bit i386, armv6, and powerpc; armv7 remains the only supported 32-bit platform. The ability to locally build 32-bit applications and to use COMPAT_FREEBSD32 on 64-bit kernels will remain available at least through the lifecycle of FreeBSD 16.
The kernel gains system calls implementing the Linux-compatible inotify mechanism for filesystem event monitoring, simplifying the porting of software that relies on this model. Solaris-style named file attributes have been introduced as an alternative extended-attribute mechanism for ZFS and NFSv4: attributes are stored in a service directory invisible to ordinary namespace operations and behave like regular files whose lists can be obtained via readdir().
The security subsystem receives a new rights-management tool. The mac_do module, now deemed production-ready, allows administrators to describe policies under which unprivileged users may alter process credentials. The mdo utility, reminiscent of su, enables running commands as another user without relying on setuid root binaries.
Graphics and wireless networking support have been significantly modernized. DRM drivers i915 and amdgpu are now synchronized with Linux 6.9, while Wi-Fi drivers rtw88 (Realtek 802.11n/ac), rtw89 (Realtek 802.11ax), and iwlwifi (Intel 802.11a/b/g/n/ac/ax/be) have been aligned with Linux 6.17. On amd64 systems, configurations exceeding 4 TB of RAM are now supported, and a ufshci driver for UFSHCI storage controllers has been added.
Networking and filesystem layers also see substantive updates. NFS now includes the CLONE operation from the NFSv4.2 specification, enabling server-side block cloning for file copies — currently for exported ZFS datasets only. UFS stability is improved on filesystems exceeding two billion inodes, and UFS1 now correctly handles dates through the year 2106, resolving the 2038 problem. A new SO_SPLICE option for TCP sockets facilitates lightweight proxying without copying data into userspace. The kernel also incorporates the nvmfta module for NVMe-over-Fabrics controllers, and the nvmecontrol utility can now connect to external NVMe devices.
Administrators gain several new utilities. The sndctl tool is introduced for managing sound device settings, and mididump enables real-time monitoring of MIDI events. The bhyve hypervisor receives a slirp backend using libslirp’s user-mode networking stack, allowing guest connectivity without additional host-network configuration. Newsyslog now supports selecting a default compression method (bzip2, xz, zstd, gzip), eliminating repetitive flags in newsyslog.conf. The date utility now supports nanosecond precision via “date -Ins”.
Jail environments receive deep enhancements. A new zfs.dataset option allows attaching an individual ZFS dataset, snapshot, or clone to a jail. The jail command gains meta and env parameters for metadata binding and environment variable passing. Jails may now be addressed via descriptors, with jail_set and jail_get functions and jail_attach_jd / jail_remove_jd system calls. Kevent filters can track jail operations. The adduser utility, used by bsdinstall, can automatically create a dedicated ZFS dataset for a user’s home directory and optionally encrypt it via Zcreate and Zencrypt settings.
The userland receives notable refinements. SIMD optimizations have been applied to many libc string and memory functions. The Gallant terminal font has gained more than 4,300 new glyphs, including Cyrillic and additional mathematical symbols. The tty driver now enables the IUTF8 flag by default for correct UTF-8 backspace behavior. The dialog utility has been replaced with bsddialog, and grep now disables symbolic-link traversal during recursive searches by default.
The project’s move toward containers and cloud environments continues. FreeBSD can now produce OCI-compliant container images and system images for Oracle Cloud. A new “small” cloud-image type optimized for AWS EC2 omits debug data, tests, 32-bit libraries, LLDB, Amazon SSM Agent, and AWS CLI, resulting in noticeably faster boot times compared to base EC2 images.
Package repositories have been broadened and reorganized. A new repository, FreeBSD-kmods, enabled by default, contains kernel modules built specifically for 15.x-RELEASE rather than 15-STABLE, benefiting graphics and other modules tied to unstable kernel interfaces. The previously existing FreeBSD and FreeBSD-kmods repositories in /etc/pkg/FreeBSD.conf have been renamed FreeBSD-ports and FreeBSD-ports-kmods.
Default protocol-stack and network settings have been revised. The net.inet.tcp.nolocaltimewait parameter is now disabled and deprecated, restoring TIME_WAIT entries for locally closed TCP connections; the new sysctl net.inet.tcp.msl_local adjusts the TIME_WAIT duration. Connections to localhost using INADDR_ANY are prohibited by default but can be restored with net.inet.ip.connect_inaddr_wild. Interfaces without IP addresses may now join network bridges, as net.link.bridge.member_ifaddrs defaults to 0.
Numerous legacy components have been retired. The gvinum logical-volume manager has been removed from base; users are directed to gconcat, gmirror, gstripe, graid, or ZFS. The fdisk utility is deprecated in favor of gpart. The syscons console driver, incompatible with UEFI and lacking UTF-8 support, is now obsolete. FreeBSD 16 plans to remove the agp driver as well as fdc (floppy controller), firewire (IEEE1394), le (legacy AMD Ethernet), and upgt (USB 802.11g). Authentication and network services also evolve: Heimdal Kerberos is replaced by MIT Kerberos, RSA host keys are no longer generated for SSH and EC2 images, DSA support has been removed, and the DES-based publickey database is retired. The ftpd and shar utilities are no longer part of the base system and are now available only as ports.
System interfaces and semantics are aligned with broader industry norms. System calls setgroups, getgroups, and initgroups now behave more predictably by omitting the effective group as a separate leading element. Kernel TLS (KTLS) is enabled by default, offloading portions of cryptographic processing.
Finally, FreeBSD 15.0 arrives with sweeping updates to userland tools and development infrastructure. The release includes LLVM 19.1.7, OpenSSH 10.0p2, OpenSSL 3.5.4, OpenZFS 2.4.0rc4, Lua 5.4.8, jemalloc 5.3.0, Awk 20250804 with UTF-8 support, bc 7.1.0, unicode 16.0.0, ncurses 6.5, libarchive 3.8.2, tcpdump 4.99.5, unbound 1.24.1, less 679, file 5.46, GoogleTest 1.15.2, and numerous other updated components — making the 15 branch markedly more modern for both server-side and desktop deployments.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
