February 2024 E-newsletter

Hi there! Welcome to the February e-newsletter. Learn on for bulletins from Ruby Central and a report of the OSS work we’ve executed from the earlier month. In January, Ruby Central’s open-source work was supported by 29 completely different corporations, together with Fastly,  Sentry, Ruby Protect sponsor Shopify, and Companion-level member Contributed Techniques, the corporate behind Mike Perham’s Sidekiq. In complete, we have been supported by 178 members. Because of all of our members for making the whole lot that we do doable. <3

Ruby Central Information

Ruby Meet-ups

• Listing coming quickly! We’re making a listing of ALL energetic Ruby meetups to assist us join with each other, and so we are able to provide sources and help. Click on to fill out the shape beneath and register your Ruby meet-up immediately!
• Bay Space meetup in March! Our first sponsored meetup is beginning Friday March 1st, 2024 within the SF Bay Space within the US with a low-key ramen lunch hosted by Ruby Central’s Adarsh Pandit! RSVP right here.

RubyConf 2023 Recap Report

We revealed a report final week capturing each a part of RubyConf 2023, from the revolutionary new additions to this system – Group Day and Open Areas — to our attendee demographics, to the funds it took to make it occur. Get pleasure from this stroll with us down reminiscence lane to see what you missed, or re-live the enjoyable – photos included! 

Upcoming Conferences:

• Ruby Central
  • RailsConf is quick approaching, this yr in Detroit on Might 7 – 9. Convention tickets are on sale now!
  • Subsequent yr’s RubyConf will probably be in Chicago! Dates and areas are being finalized proper now… Keep tuned.
• Group Conferences

Get Concerned:

• If you would like to become involved and assist make our neighborhood and occasions even higher, we would like to have you ever! Try our volunteer web page, and/or be at liberty to shoot an e mail to our government director, Adarsh, to search out one of the best ways to get plugged in.
• Wish to share your model at RailsConf or RubyConf in 2024? Safe your sponsorship now to achieve over 500 attendees, showcase your thought management, and domesticate invaluable business relationships by emailing our great sponsorships supervisor, Tom.
• Keep in mind, you may obtain unique advantages like convention reductions and extra by signing up for a Ruby Central membership. Examine to see in case your employer matches donations to Ruby Central, Inc. by way of Benevity and double your help!

RubyGems Information

In January in RubyGems, we launched RubyGems 3.5.5 and Bundler 2.5.5. These releases included fixes to: the caching specifictions listing, improvement dependency ommission and formatting of compact index requests headers, as a part of our steady effort to reinforce the Ruby improvement expertise.

Another vital accomplishments from the staff this month embody:

Decision of Bundler subject with Renovatebot

• @deivid-rodriguez addressed a particular Bundler decision downside affecting the operation of Renovatebot. We attempt to place good with replace bots since they contribute to a extra wholesome and safe ecosystem. Renovate particularly doesn’t appear to make use of Bundler internals, however runs Bundler instantly by way of effectively outlined CLI flags. This is excellent for us, so it’s good to present again and ensure the CLI flags they use work as anticipated. The problem occurs when Renovatebot first modifications the Gemfile after which runs bundle lock –replace –patch –strict.
• He first investigated an answer that concerned bringing the lockfile updated however in the end realized that this method breaks the –patch –strict contract as a result of it ends in that patch stage model probably being upgraded. In the long run, he determined to name the present conduct as anticipated and can concentrate on enhancing the error message sooner or later. – (7369).

Decision of RubyGems require subject

• @deivid-rodriguez tackled a difficult subject inside RubyGems associated to its customized require implementation. The gemification of default gems, particularly these with dependencies, unveiled points publish Ruby 3.3 launch, affecting person expertise. The repair ensures RubyGems require bypasses activating default variations of gems below conflict-prone circumstances. For extra particulars, see #7379.

Work towards vendoring URI in RubyGems

• This initiative was a part of efforts to easy out the extraction of default gems from ruby-core, making certain a seamless transition. The profitable vendoring of URI marks a big step in direction of mitigating activation conflicts. Info on this replace is out there in #7386.

Addressing an ENV resetting subject in RubyGems

• Restoring Bundler-related ENV variables to empty prevents downstream points associated to making an attempt to invoke Bundler from subprocesses, as considered one of our customers Edouard-chin identified. An investigation led to the identification of a bug associated to particular casing empty ENV variables. The choice was made to take away this exception and the repair. Its implications are detailed in #7383.

Introduction of a Gem Rebuild Command

• Ellen Sprint is main the event of a gem rebuild command to facilitate reproducible builds. Reproducible builds enable folks to determine issues resembling compromised construct environments or builds not utilizing the revealed supply. For a couple of years now, it’s been technically doable to breed a construct when you knew sufficient concerning the unique construct atmosphere. The gem rebuild command’s function is to automate as a lot of this as doable.

In January, RubyGems gained 163 new commits contributed by 18 authors. There have been 6,051 additions and 1,059 deletions throughout 244 recordsdata.

RubyGems.org Information

January’s updates to RubyGems.org mirror a powerful dedication to enhancing person expertise, enhancing safety, and modernizing the platform.

The next are highlights of what the staff labored on this month:

Decision of a multi-factor authentication (MFA) bypass on password reset vulnerability

A vulnerability report from HackerOne delivered to our consideration a essential flaw within the MFA course of throughout password reset. This subject was addressed and resolved by way of the collaborative efforts of Martin Emde, with vital contributions from Josef Šimánek, Samuel Giddins, and Eric. Learn extra concerning the report right here.

Audit/Occasion Logging for Enhanced Safety Monitoring

• We launched a user-visible log of safety occasions which have occurred on their account. This can assist maintainers keep on prime of how their account is getting used, and occasions that occur on the gems they personal, lowering imply time to remediation for sudden actions. This additionally helps the RubyGems.org safety staff by offering a path that may be adopted in response to safety incidents.
• Crucial occasions resembling logins, password modifications, e mail updates, API token technology and revocation, and ruby gem possession modifications are actually logged. These logs are user-specific for account actions, whereas gem-related occasions are accessible to all homeowners of the respective gem. Try #4367 for extra info.

RubyGems.org is now utilizing importmaps

• Importmaps is a contemporary method to serving JavaScript using HTTP2 to switch many smaller recordsdata fairly than bundling JavaScript right into a single massive file. The result’s a a lot lighter asset construct system and higher caching of property that don’t change fairly often. Throughout improvement, @martinemde labored by way of package deal administration challenges with importmaps (e.g. verifying provenance, pushed upstream right here: importmap-rails#237). You might not have realized that importmap-rails is a package deal supervisor, like bundler or npm, and needs to be managed as one. – (rubygems.org#4396).

Fixing a bug in rack-test associated to Content material-Safety-Coverage nonces

• In the course of the improvement work on importmaps a small bug in rack-test was recognized and stuck. The bug manifested by way of failing exams triggered when producing Content material-Safety-Coverage nonces from a session_id. The decision concerned fixing how these cookies are processed in rack-test (rack-test#343) and stopping clean cookies from being recorded in rubygems.org.

Updating to Rails 7.1

• We up to date RubyGems.org to Rails 7.1 to maintain dependencies of the Rails app updated. The replace concerned a long-running pull request that addressed dependency points. The merge and deployment proceeded easily after making certain all upstream dependencies supported Rails 7.1, together with an replace to the Rails configuration to align with 7.1 defaults.

Smooth Deleting Consumer Information

• @segiddins applied a function for soft-deleting person information, a foundational step for the audit/occasion logging system. This ensures the preservation of database relationships for historic information referencing customers, even after an account is deleted by the person.
• When a person requests account deletion, we filter all person info from the person document and mark it as deleted, however depart the row within the database. Deleted information are usually not proven in queries on the location. Discover extra details about this replace in #4376 and #3766.

Try an instance of the brand new audit logging in rubygems.org

In January, RubyGems.org gained 85 new commits contributed by 8 authors. There have been 2,490 additions and 1,238 deletions throughout 224 recordsdata.

Thanks

Thanks to all of the contributors of RubyGems and RubyGems.org for this month! Your contributions are tremendously appreciated, and we’re grateful in your help.

Contributors to RubyGems:

Contributors to RubyGems.org:

February 27, 2024