This can be a internet preview of Ruby Central’s FIRST Annual OSS Report, for 2024, sharing every thing we have been engaged on over the past 12 months and the influence of our work. We might be publishing a finalized report by the top of this yr.
From November 2023 to November 2024, Ruby Central’s Open Supply Program made important progress in enhancing the infrastructure and safety of RubyGems, Bundler, and RubyGems.org, constructing a steady and resilient basis for Ruby builders and organizations.
This inaugural open supply report is meant to be launched yearly close to the start of This fall and coincide with RubyConf. It highlights our achievements, sponsors, group, and future plans. By sharing insights into our open supply work, we intention to draw new funding and partnerships to make sure the long-term success of the Ruby ecosystem.
Mission
The mission of Ruby Central’s Open Supply Program is to take care of a safe, dependable ecosystem for the Ruby programming language. Our focus is on strengthening and sustaining Ruby’s core instruments—together with RubyGems.org, Bundler, and different important infrastructure—to satisfy the wants of builders at each degree, from particular person creators to groups inside giant tech firms. By constructing and supporting key open supply tasks, we’re empowering the Ruby neighborhood to work with confidence and guaranteeing that Ruby stays a best choice for software program improvement.
Highlights of the 12 months’s Achievements
This yr, Ruby Central’s Open Supply Program centered on initiatives to reinforce safety, stability, and value throughout the Ruby ecosystem. Listed below are three standout achievements:
Trusted Publishing
Trusted Publishing is a brand new characteristic that permits safe, automated gem publishing by means of OpenID Join (OIDC), permitting builders to publish straight from trusted environments like GitHub Actions while not having long-lived API tokens. For instance, a developer can arrange a GitHub Actions workflow to robotically publish a gem after exams go with out manually dealing with delicate tokens. This streamlines the publishing workflow and ensures that the code in public repositories matches the launched gems, all whereas assembly organizational safety requirements. By introducing Trusted Publishing, we’re enhancing the safety and reliability of the Ruby provide chain on RubyGems.org.
24/7 On-Name Help with Secondary Rotation
Over the previous yr, we achieved ~99.99% uptime on RubyGems.org, with zero main outages and speedy decision of minor degradations—an vital achievement given that each one Ruby purposes rely upon this infrastructure.
To make sure speedy response to any incidents, we supplied 24/7 on-call assist and strengthened protection by including a secondary rotation of on-call engineers. Our give attention to monitoring and reliability will assist us proceed to construct the belief and confidence of builders and organizations that deploy and keep Ruby purposes.
Group Accounts (Coming Quickly)
The upcoming Group Accounts characteristic is a extremely anticipated launch that can give firms and improvement groups extra management over their gems by means of structured permissions administration. With Group Accounts, groups can assign and regulate roles, guaranteeing that solely licensed customers can handle particular gems. As group members change, permissions might be simply up to date, serving to to forestall disruptions and keep continuity in gem administration. That is particularly beneficial for big organizations like AWS, which handle tons of of gems with many contributors.
The discharge will roll out in two phases: first, with devoted admin entry controls inside RubyGems, permitting organizations to handle permissions and add or take away members. The second stage will allow them to formally hyperlink their gems to their group, offering added safety and transparency throughout the ecosystem. We might be sharing a preview of this work at RubyConf.
You possibly can learn extra about these and different open supply achievements within the “Ruby Central Open Supply Abstract” part under.
Imaginative and prescient
Our imaginative and prescient for 2025 facilities on three core pillars: Safety, Stability, and Sustainability.
Safety stays our highest precedence, driving our continued efforts to strengthen provide chain protections and refine our cloud infrastructure controls.
Stability is important for guaranteeing uninterrupted service, and we’re devoted to enhancing catastrophe restoration planning and operational documentation to organize for any problem.
Sustainability focuses on establishing steady funding for ongoing upkeep and important tasks, enabling the expansion of group contributions, and guaranteeing that Ruby’s foundational infrastructure is supported for years to come back.
Funding Companions
Ruby Central’s work is supported by our funding companions:
- Sovereign Tech Company (Previously Sovereign Tech Fund): Funds crucial infrastructure and safety enhancements, together with work on Trusted Publishing.
- Shopify (Ruby Protect Program): Helps key improvement work to enhance the reliability and safety of Ruby’s core infrastructure, together with contributing to Trusted Publishing.
- AWS: Sponsors our Safety Engineer in Residence, Samuel Giddins, whose work has included growing Sigstore integration for RubyGems, enhancing Trusted Publishing capabilities, refactoring API safety, and bettering RubyGems efficiency by means of optimizations and safety patches.
- Alpha-Omega Challenge: Helps particular tasks just like the Organizations characteristic and a safety audit by Path of Bits to strengthen RubyGems.
- Particular person and company members: Ongoing contributions from particular person and company members assist maintain important improvement and upkeep throughout Ruby Central’s open supply ecosystem.
We’re grateful to all our sponsors and members for his or her dedication to constructing a safe and resilient basis for Ruby’s future.
About Ruby Central
Ruby Central is a non-profit group devoted to advancing the Ruby programming language and fostering a welcoming, numerous world neighborhood. Since 2001, we now have been creating on-line and offline areas—corresponding to RubyConf and RailsConf—that permit Rubyists to attach, interact, and be taught from one another.
Along with internet hosting occasions, we now assist Ruby’s foundational infrastructure by means of our open supply program, which launched in 2022 following our merger with Ruby Collectively. By way of these mixed efforts, we’re sustaining the core infrastructure and offering important assets that empower all Ruby builders to construct, collaborate, and innovate.
Core Applications
Ruby Central’s efforts span a number of core applications designed to assist and advance Ruby:
- Neighborhood assist and development: We assist the Ruby neighborhood by organizing occasions like RubyConf and RailsConf and creating instructional assets.
- Open supply infrastructure: We keep and improve essential instruments like RubyGems.org and Bundler, offering builders with a safe, reliable surroundings to handle and share Ruby libraries.
- Safety initiatives: We’re dedicated to defending the Ruby ecosystem in opposition to evolving threats by means of initiatives like Trusted Publishing, Sigstore integration, and an exterior safety audit of RubyGems.org.
- Funding and partnerships: We collaborate with company sponsors and neighborhood stakeholders to safe funding for tasks, enabling us to take care of RubyGems.org and assist initiatives that drive Ruby’s long-term success.
RubyGems and Bundler’s Function within the Ruby Ecosystem
For practically twenty years, RubyGems and Bundler have served because the core infrastructure that permits Ruby builders to create, share, and set up gem libraries with ease. This infrastructure has turn out to be indispensable in Ruby improvement, significantly for groups working with Rails, the place they play a significant function within the setup, deployment, and upkeep of purposes.
A Timeline of RubyGems and Bundler’s Evolution
- 2003: RubyGems was conceptualized at RubyConf (hosted by Ruby Central), marking the beginning of a standardized bundle administration system for Ruby.
- 2004: RubyGems launched, simplifying the set up and administration of gem libraries for builders.
- 2009: Bundler was developed to handle dependency conflicts, guaranteeing appropriate libraries inside Ruby purposes.
- 2010-2014: Noticed widespread adoption of RubyGems and Bundler, with important contributions from Yehuda Katz, supported by Engine Yard.
- 2015: Ruby Collectively was based by André Arko to assist ongoing upkeep of RubyGems and Bundler after Engine Yard stepped again.
- 2019: Funding and sustainability challenges result in merger discussions between Ruby Collectively and Ruby Central.
- 2022: Ruby Collectively merged with Ruby Central, making a unified group to supervise Ruby’s core infrastructure and neighborhood initiatives.
- 2023: Ruby Central fashioned the Open Supply Software program (OSS) Committee to implement a proper governance construction for RubyGems, Bundler, and RubyGems.org.
The Open Supply Committee
The Open Supply (OSS) Committee was fashioned by Ruby Central in 2023, following our merger with Ruby Collectively. The committee is chargeable for long-term technique, governance, and funding for Ruby’s core open supply instruments, together with RubyGems, Bundler, and RubyGems.org.
Over the previous yr, the OSS Committee centered on crucial infrastructure enhancements, bolstering safety measures, and constructing a sustainable contributor pipeline. Key initiatives included implementing structured governance, enhancing alignment with business safety and compliance requirements, and securing constant funding from company sponsors and neighborhood companions. By way of these efforts, the committee is laying a robust basis for technical development and neighborhood resilience.
To be taught extra in regards to the Open Supply Committee, you may learn the announcement submit on our weblog.
Main Initiatives and Developments
Trusted Publishing and Sigstore Integration
In late 2023, we launched Trusted Publishing, a characteristic based mostly on OpenID Join (OIDC) that permits safe, automated gem publishing from trusted environments like GitHub Actions. By eliminating the necessity for long-lived API tokens, Trusted Publishing reduces safety dangers and streamlines the publishing course of for builders.
Moreover, we now have been centered on ongoing work with Sigstore, with the aim of making a dependable system for signing and verifying gem attestations with out persistent signing keys. Over the previous yr, we developed the Sigstore ruby shopper (a process made difficult by our constraint to keep away from native code outdoors the Ruby commonplace library) and are actually working to combine it into RubyGems, Bundler, and RubyGems.org. As soon as totally included, Sigstore will allow builders to verify the authenticity of revealed gems, establishing a robust basis for dependency provenance. This work will even assist bolster broader business requirements for software program provenance by means of our collaboration with OpenSSF’s Securing Software program Repositories working group.
Safety and Multi-factor Authentication (MFA) Enhancements
In response to a reported MFA vulnerability (CVE-2024-21654), RubyGems.org underwent intensive safety enhancements to its authentication processes. We revised MFA necessities, enhanced take a look at protection, and aligned with OWASP safety pointers to strengthen person authentication. This has improved safety for login, password reset, and e-mail affirmation by implementing two-factor authentication throughout the platform.
Trying ahead, we’re contemplating implementing necessary MFA for all customers to be able to align with business greatest practices.
Infrastructure Upgrades
This yr, we applied a sequence of focused infrastructure upgrades to bolster the reliability, safety, and scalability of RubyGems.org. Key updates included:
- Kubernetes platform improve: We transitioned RubyGems’s Kubernetes cluster to the newest model, bettering container orchestration, optimizing useful resource allocation, and enhancing system stability.
- OpenSearch cluster improve: We upgraded OpenSearch, which considerably improved the resilience and velocity of knowledge retrieval. That is crucial for dealing with the ever-growing dataset of Ruby gems and delivering quick search outcomes to customers.
- PostgreSQL versioning: We upgraded PostgreSQL throughout main variations by means of a managed, guide migration course of, guaranteeing compatibility and safety with none downtime.
Moreover, we applied Datadog Cloud Safety Administration (CSM), enabling steady, real-time monitoring of potential vulnerabilities. This permits us to determine and reply to safety dangers swiftly and offers our group with an added layer of visibility into infrastructure well being.
Bundler Lockfile Checksums
In December 2023, we launched Bundler Lockfile Checksums as an opt-in characteristic to make sure that manufacturing environments deploy the precise dependencies used throughout improvement. This can be a safety characteristic that protects in opposition to provide chain assaults, corresponding to break up view and artifact alternative, by verifying that the deployed packages match the authoritative variations supplied by RubyGems.org. Basically, Bundler Lockfile Checksums provide most of the advantages of a binary transparency log however with out the necessity for intensive infrastructure modifications.
Constructing this characteristic required practically two years with the involvement of 4 engineers. Challenges included managing the number of gem sources, guaranteeing authoritative checksums for bundle variations, and onboarding present Bundler tasks with out compromising on safety. We adopted this characteristic in our personal manufacturing surroundings for RubyGems to confirm dependencies and guarantee compatibility with different customers.
Now we have been gathering person suggestions all through the preliminary rollout and are working to additional refine and improve this characteristic (corresponding to including extra controls and an interface to streamline utilization) earlier than releasing it to the general public in December 2024.
Group Accounts for RubyGems.org
The brand new Group Accounts characteristic is a robust permissions administration framework that enables groups to handle gem entry and roles inside a safe, structured surroundings. This characteristic is very helpful for big organizations corresponding to AWS that handle intensive gem libraries and require streamlined permission management. Associating gems with a corporation additionally enhances safety by mitigating the chance of misrepresentation with gem naming.
This characteristic marks a big step ahead in aligning RubyGems with enterprise wants. It’s also a stepping stone towards future work, corresponding to scoped gems, SAML/OpenID authentication, and different enterprise options that may provide future income.
This characteristic is being rolled out in two phases, with inner permissions launched this yr and full organizational connections to gems coming shortly after. This work might be previewed at RubyConf 2024 in Chicago.
Notable Fixes and Efficiency Enhancements
Caching Git Gems
In response to challenges highlighted by Github, we now have applied enhancements to Git-based gem caching, addressing points that beforehand created redundant processing for dependencies saved in Git repositories. These enhancements streamline dependency administration throughout complicated tasks, lowering pointless fetch operations and bettering effectivity for builders working with Git-managed gems.
Bundler auto_install Enhancement
In collaboration with Gusto, we expanded Bundler’s auto_install characteristic to function seamlessly throughout any command that invokes code updates. Beforehand restricted to particular instructions, this enchancment reduces repetitive bundle set up steps, guaranteeing that any modifications to dependencies are robotically put in. The enhancement has proved significantly beneficial for big groups, considerably optimizing their workflows and minimizing redundant guide intervention.
Challenge-specific Gem Caches
We made important updates to project-specific gem caching, enhancing dependency administration for environments that require a contained gem cache, corresponding to offline or self-contained setups. By resolving points with dependencies sourced from Git relatively than gem servers, tasks can now keep an area cache with out extra scripts or workarounds. Constructive suggestions from GitHub and different organizations signifies that these modifications have vastly simplified workflows for groups counting on remoted gem environments.
Gem Rebuild
The “gem rebuild” command allows verification of a .gem file by confirming it was generated from an anticipated supply (supplied that the gem helps reproducible builds and the supply is offered). This software is beneficial for auditing and compliance, permitting builders to make sure that gems stay according to their authentic supply code.
Safety Audit
By way of assist from the Alpha-Omega Challenge, Ruby Central partnered with Path of Bits for a complete safety audit on the RubyGems.org Rails software and its underlying AWS infrastructure.
The audit recognized 33 points, together with seven medium-severity gadgets and one high-severity merchandise. Notably, most of those findings don’t represent precise safety breaches. Our group has been addressing every discovering and utilizing these insights to bolster RubyGems’s safety posture.
Total, the audit attests to the trouble that the core group has put into guaranteeing RubyGems.org is safe and reinforces that we’re working in the correct course with our efforts to implement extra of our infrastructure as code and to codify and constrain our entry insurance policies.
Neighborhood and Ecosystem Help
Ruby Toolbox Upkeep and Enhancements
To mark its fifteenth anniversary, we now have made a sequence of serious updates to Ruby Toolbox, enhancing its performance and compatibility with present variations of Ruby and Rails. We additionally needed to optimize the backend to deal with bigger knowledge volumes, because the obtain depend of the Bundler gem exceeded the integer column dimension that was initially chosen for the Postgres desk that shops them.
We additionally applied a partial and commonly up to date manufacturing database dump that may be simply imported into native environments, permitting builders to load a practical dataset on their machines rapidly by working bin/pull_database. We additionally configured a default setup for GitHub Codespaces so customers can immediately launch a cloud-based improvement surroundings for Ruby Toolbox. These updates have made it quicker and simpler for contributors to discover and work with the codebase.
Further options will embrace safety vulnerability experiences and comparative code dimension metrics, offering builders with a clearer image of their gem dependencies. These insights intention to supply a extra complete view of library dimension, dependency timber, and potential safety issues.
Over the previous yr, Ruby Central hosted RubyConf and RailsConf, which served as key occasions for Rubyists to alternate information, focus on rising tendencies, and collaborate on Ruby’s future. Our open supply group additionally centered on constructing instruments and assets that cater to builders of all talent ranges, from rookies to superior contributors. These efforts reinforce Ruby’s fame as an accessible and resilient programming language and neighborhood.
Influence of open supply from November 1st, 2023 to Oct thirty first, 2024:
- Complete variety of contributors to RC’s open supply tasks:
- 98 distinctive contributors to RubyGems/Bundler
- 34 distinctive contributors to RubyGems.org
- Complete variety of downloads/installs of RC instruments and packages:
- Over 34 billion gem downloads
- Bundler downloaded 570 million instances
- Complete funding:
Our OSS work is pushed by these key contributors (listed alphabetically):
Arun Agrawal is a longtime Ruby developer since 2007, with contributions to the Rails framework and numerous open supply tasks. His work spans internet purposes and infrastructure administration for platforms like RubyGems.org.
André Arko is a Ruby and Rails developer with over 20 years of expertise. As a key member of the Bundler and RubyGems core groups and creator of The Ruby Approach, third Ed., André has additionally constructed tasks like cuberule.com and sunchaser.io, aiming to make life simpler for on-call builders.
Ellen Marie Sprint manages vulnerability experiences for RubyGems, coordinating with HackerOne to take care of safety throughout the ecosystem.
Reward Egwuenu is a Developer Advocate at Cloudflare with over seven years of internet improvement expertise. Specializing in developer relations, Reward contributes actively to open supply initiatives, together with writing month-to-month updates for RubyGems, and is keen about making complicated know-how accessible.
Martin Emde is a Principal Engineer at Cloudy Metropolis Improvement and core maintainer of RubyGems.org and Bundler. Recognized for his collaborative and open-minded strategy, Martin values curiosity and inclusive problem-solving. He lives within the mountains of California together with his household.
Samuel Giddins is the Safety Engineer in Residence at Ruby Central, the place he leads safety efforts for RubyGems and RubyGems.org. With over a decade working in Ruby tooling, Samuel is dedicated to safeguarding the ecosystem.
Marty Haught leads Ruby Central’s Open Supply Program because the Director of Open Supply. An avid neighborhood builder based mostly close to Boulder, Colorado, he based the Boulder Ruby group and has been an energetic member of the Ruby neighborhood since 2005. Exterior of tech, Marty enjoys channeling his creativity into baking and cooking, a lot to the delight of his household.
Irene Kannyo contributes to Ruby Central’s open supply advertising and marketing efforts, serving to preserve the neighborhood knowledgeable and engaged.
David Rodríguez contributes actively to the Bundler and RubyGems ecosystems, strengthening instruments that serve the Ruby neighborhood.
Josef Šimánek is a Ruby developer with over 15 years of expertise based mostly in Prague, Czech Republic. Enthusiastic about database techniques, significantly PostgreSQL, Josef actively collaborates with the neighborhood to construct instruments that make improvement extra impactful.
Colby Swandale is a core contributor to RubyGems.org and creator of rubyapi.org. Devoted to enhancing Ruby tooling, Colby goals to empower builders to construct purposes with better ease.
There are quite a few methods you may get concerned with Ruby Central’s Open Supply Program:
- Contribute code to RubyGems
- Be a part of the dialog in the Bundler Slack
- Learn our RFCS and supply suggestions: github.com/rubygems/rfcs
- For those who suppose you’ve got discovered a safety subject, please report it by way of HackerOne
- Turn out to be a sponsor of Ruby Central to assist fund our essential work (particulars coming quickly)