Baltic_Ruby_Keynote_2025.pdf

Transcript

1. RubyGems.org Sustained Open Source Baltic Ruby June 2025 Marty Haught

   Director of Open Source Ruby Central

2. RubyGems.org Open source powers Ruby

3. RubyGems.org I discovered Ruby in 2005

4. RubyGems.org We’ve come a long way ▪ Ruby is over

   30 years old ▪ RubyGems is over 20 years old ▪ Ruby on Rails is over 20 years old

5. RubyGems.org What’s changed ▪ The ecosystem has matured ▪ Scale

   is at another level ▪ Massive growth in packages and dependencies ▪ Rise of modern supply chain attacks

6. RubyGems.org Are we poised to go another 20 years?

7. RubyGems.org Reliability ▪ What’s the right level of reliability for

   RubyGems.org? ▪ Should we strive to be enterprise grade? ▪ Should we settle for a cost-efficient best effort?

8. RubyGems.org Security ▪ Are we ready for the growing threats

   to supply chain security? ▪ How will increased compliance requirements impact us?

9. RubyGems.org Sustainability ▪ How do we keep maintainers and projects

   healthy? ▪ How do we prepare our future oss contributors? ▪ What are realistic funding models to pursue?

10. RubyGems.org Marty Haught Director of Open Source @mghaught.bsky.social Ruby Central

    • Rubyist since 2005 • Conference organizer, 15+ years • Engineering Director, Fastly, Hashicorp alum

11. RubyGems.org How did this all start?

12. RubyGems.org Timeline ◎ 2001 Ruby Central is formed ◎ 2003

    RubyGems developed by Ruby Central ◎ 2009 RubyGems.org was launched, Bundler created ◎ 2015 Ruby Together formed, took over operations ◎ 2022 Ruby Together merged with Ruby Central ◎ 2023 Ruby Central forms the OSS Committee ◎ 2024 Ruby Central launches Open Source Program

13. RubyGems.org Open Source Program

14. RubyGems.org Open Source Program Maintaining and improving critical infrastructure and

    tools for the Ruby ecosystem. Read more on RubyCentral.org

15. RubyGems.org Our Mission To sustainably provide high-quality and secure infrastructure

    through RubyGems to reliably build Ruby software that enables businesses and our community to thrive. We are dedicated to supporting impactful open source projects on behalf of the Ruby community and fostering the growth of open source contributors to ensure the continuity of the Ruby ecosystem.

16. RubyGems.org State of RubyGems.org

17. RubyGems.org RubyGems.org statistics → 4.05B gems downloaded → 1.15 PB

    total bandwidth → 431 MB/s average network traffic → 1514 gem req/sec → 46 GB gem data ingested For May

18. RubyGems.org Running RubyGems.org ▪ Operations ▪ On Call ▪ Upgrades

    and security patches ▪ Customer support ▪ Security vulnerability reports (HackerOne) ▪ Regular rubygems and bundler releases

19. RubyGems.org 2024 funding 15.3% 7.8% 15.1% 61.9% Grants Donated services

    Memberships Sponsorships $1.2M budget

20. RubyGems.org 2025 forecast $1.4M budget ▪ $733k collected ▪ $385k

    committed ▪ $380k gap ▪ 51% is grant-based, non-recurring

21. RubyGems.org Reliability

22. RubyGems.org What would happen if RubyGems.org went down?

23. RubyGems.org For 4 hours ▪ You might not notice ▪

    You’d check status, ETA ▪ Wait for it to come back up What would you do?

24. RubyGems.org For 4 days ▪ Curse that you didn’t vendor

    your gems ▪ Find a workaround What would you do?

25. RubyGems.org How easily could you cache gems? ▪ Use a

    paid service like Artifactory or Cloudsmith ▪ Run your own private mirror ▪ Karafka estimates 95% of their users do not ▪ The team said it would be painful ▪ There are some open issues that make it inconvenient

26. RubyGems.org For 4 weeks ▪ How do you get updated

    gems? ▪ How do you publish gems? ▪ What about security vulnerabilities? What would you do?

27. RubyGems.org What’s the right level of reliability for RubyGems.org?

28. RubyGems.org On call 24/7 primary and secondary rotations ▪ 83

    notifications ▪ 100% uptime, zero outages ▪ Isolated degradations of service, typically our job queue For 2024

29. RubyGems.org On call changes ▪ Secondary rotation funding ends after

    June ▪ We’re discussing an alternative escalation policy ▪ Current thought: best effort response For 2025

30. RubyGems.org Disaster Recovery ▪ No full outages in over 10

    years! ▪ We have no formal DR plan ▪ Nightly RDS DB back-ups, long term storage ▪ 90% of infrastructure is defined in Terraform ▪ We haven’t rebuilt production so best guess on MTTR

31. RubyGems.org Disaster Recovery Proposal ▪ Establish a SLA on services

    ▪ Draft formal DR plan and test execution ▪ Consider read-only hot standby ▪ Not funded yet

32. RubyGems.org Security Audit ▪ Overly permissive AWS IAM permissions ▪

    Insufficient role separation and domain isolation ▪ Hybrid infra management, mixing manual changes with infrastructure-as-code By Trail of Bits

33. RubyGems.org Infra Security Proposal Goals ▪ Principle of least privilege

    ▪ Eliminate long-lived credentials ▪ Comprehensive observability for auditability ▪ Minimize manual manipulations

34. RubyGems.org ▪ This is our big project for 2025 ▪

    Initial phase has been funded ▪ Includes SSO team access, SIEM integration ▪ 80% remains unfunded ▪ Will serve as the base for other reliability projects Infra Security Proposal

35. RubyGems.org ▪ Solid system performance with zero downtime ▪ Single

    on call rotation, post June ▪ Funding gap restricts to a lean budget, “best effort” reliability ▪ Infra security projects paused for funding Reliability outlook

36. RubyGems.org Security

37. RubyGems.org What would happen if malicious code was injected into

    one of your gem dependencies?

38. RubyGems.org

39. RubyGems.org

40. RubyGems.org

41. RubyGems.org Confident your apps won’t be compromised this way?

42. RubyGems.org Yanked 43 malicious gems

43. RubyGems.org Malicious gem scanning ▪ Post publishing with retroactive rescans

    ▪ Volunteer-led process ▪ Maciej Mensfeld with Mend.io

44. RubyGems.org Are we ready for the growing threats to supply

    chain security?

45. RubyGems.org ▪ Account takeover ▪ Malicious gem publishing ▪ Typosquatting

    (name confusion) ▪ Dependency confusion (substitution attack) Supply chain attack vectors

46. RubyGems.org Principles for package repository security by OpenSSF’s Securing Software

    Repos Working Group ▪ Defines capabilities into 4 levels ▪ Categories: Authentication, Authorization, General capabilities, and CLI tooling

47. RubyGems.org ▪ Authentication and Authorization (MFA, permissions) ▪ Trusted Publishing

    (right person publishing) ▪ Sigstore (ensuring a gem is what it claims to be) ▪ Only 5% sigstore adoption* of top downloaded gems * https:/ /segiddins.github.io/are-we-attested-yet/ Recent improvements

48. RubyGems.org 2025 projects ▪ Precompiled binaries (avoid install time compiling)

    ▪ Binary transparency for package uploads ▪ Assessing Package Repository Security levels ▪ Bundle audit ▪ [stretch] In-house malicious gem scanning

49. RubyGems.org Security Funding ▪ 75% is grant funding through Alpha-Omega

    ▪ Bundle Audit unfunded ▪ Malicious gem project unfunded

50. RubyGems.org How will increased compliance requirements impact us?

51. RubyGems.org

52. RubyGems.org Cyber Resilience Act ▪ New EU law that set

    cybersecurity requirements for digital products ▪ Commercial products in the EU market ▪ Includes all dependencies (yes, open source too) GDPR for cybersecurity

53. RubyGems.org Important note: Details are still being worked out

54. RubyGems.org Industry involvement Global Cyber Policy WG Open Regulatory Compliance

    WG

55. RubyGems.org IANAL, this is not legal advice

56. RubyGems.org Products with digital elements ▪ Software products (operating systems,

    dev tools) ▪ Cloud-connected and SaaS platforms ▪ Consumer electronics (smartphones, laptops) ▪ IoT devices (smart home devices, wearables) ▪ Non-commercial or regular websites do not apply Examples

57. RubyGems.org Roles ▪ OSS developer ▪ Open source steward ▪

    Manufacturer

58. RubyGems.org OSS developers ▪ No obligations unless commercial activity ◦

    Such as charging a price, charging for services ▪ Financial support or donations don’t automatically count ▪ Likely to see more patches from manufacturers ▪ Best practice to provide evidence of security

59. RubyGems.org Open source stewards ▪ Emplace & document cybersecurity policy,

    handle vulnerabilities, foster reporting of vulnerabilities ▪ Cooperate with the market surveillance authorities to mitigate risks ▪ Report on actively exploited vulnerabilities & severe incidents That’s RubyGems.org!

60. RubyGems.org Manufacturers ▪ Ensure cybersecurity by design and by default

    ▪ Conformity assessment ▪ Documentation of product’s cybersecurity measures ▪ Vulnerability handling and reporting ▪ Post-market surveillance ▪ Vulnerability patching

61. RubyGems.org Important dates ◎ 11 Jun 2026 Governments, assessment bodies

    ready ◎ 11 Sep 2026 Manufacturers must report vulnerabilities ◎ 11 Dec 2027 All regulations apply

62. RubyGems.org CRA penalties ▪ Non-compliance with essential cybersecurity Up to

    €15M or 2.5% global turnover ▪ Most other non-compliance Up to €10M or 2% global turnover ▪ Incorrect or misleading information Up to €5M or 1% global turnover

63. RubyGems.org CRA resources ▪ Visit OpenSSF’s CRA page ◦ Search

    ‘openssf cra’ ▪ https:/ /openssf.org/public-policy/eu-cyber-resilience-act/ ▪ They have a free online course to learn more

64. RubyGems.org Ruby Central’s role

65. RubyGems.org CRA plans ▪ Educate and spread awareness ▪ Provide

    guidance for maintainers and manufacturers ▪ Improve tooling around compliance

66. RubyGems.org ▪ Security is our best funded aspect ▪ Concern

    with grant funding ratio ▪ Lack of awareness and adoption of best practices ▪ CRA obligations will cause a scramble Security outlook

67. RubyGems.org Sustainability

68. RubyGems.org How do we keep projects and maintainers healthy?

69. RubyGems.org XKCD: #2347 Dependency

70. RubyGems.org Abandoned gems

71. RubyGems.org Some actively downloaded ▪ representable 10m (used by Google

    SDK gem) ▪ rest-client 4.2m ▪ xpath 4.7m ▪ ethon 4.1m (libcurl wrapper) Monthly downloads

72. RubyGems.org via ruby-toolbox.com

73. RubyGems.org XZ utils attack

74. RubyGems.org Gems with lax security ▪ No CI workflows ◦

    OR CI doesn’t include modern Ruby versions ▪ Missing a security policy ▪ Gemspec or README that lacks metadata ▪ No adoption of new security features (provenance)

75. RubyGems.org What do we do about this?

76. RubyGems.org Possibilities ▪ Should we take an active role to

    deprecate? ▪ Gem maintainers guide ▪ Bring awareness to unmaintained high volume gems ▪ Adopt a gem

77. RubyGems.org Adopt a gem ▪ Connects OSS contributors to gems

    in need ▪ Provide a playbook for adopting security features ▪ Minimal updates, runs on latest Ruby versions ▪ Internal team could step in for critical gems

78. RubyGems.org Fiscal sponsorship ▪ A way for open source projects

    to receive donations, hold funds, and manage finances without forming a legal entity ▪ Notable examples: Software Freedom Conservancy, Open Collective

79. RubyGems.org Ruby Central Program ▪ Hanami is our first recipient

    ▪ Simplifies fundraising for projects ▪ Higher percentage of funds go to the project ▪ What other projects might be interested?

80. RubyGems.org How do we prepare our future oss contributors?

81. RubyGems.org Status quo ▪ Organic, happenstance ▪ Maintainer attrition ▪

    Leads to abandoned projects

82. RubyGems.org Possibilities ▪ Make it easier for new members to

    contribute ▪ Develop onboarding and training ▪ Intentionally recruit ▪ Funding will be an important piece

83. RubyGems.org What are realistic funding models to pursue?

84. RubyGems.org 2024 Open Source Software Funding Report Key Findings ▪

    Organizations contribute $7.7 billion USD annually to open source software ▪ The majority (86%) of contribution value is employee labor. By GitHub, the Linux Foundation, and Harvard University

85. RubyGems.org Funding models

86. RubyGems.org Employee staffing ▪ Natural fit for augmentation, boosting a

    project ▪ Not ideal for a service ▪ Increased overhead ▪ What happens when business interests change?

87. RubyGems.org Grants ▪ Takes effort to apply, uncertain if you’ll

    get it ▪ Not always available ▪ Usually one-time funding ▪ Not a fit for critical services or maintenance

88. RubyGems.org Fundraising Show a need, find supporters, convince them to

    contribute ▪ Default mode for non-profits ▪ Donations ▪ Annual membership or sponsorships best ▪ Requires constant work

89. RubyGems.org Develop a paid offering ▪ Charge for business value

    ▪ Not always an option ▪ Tricky when you provide a free platform ▪ PyPI has paid organizations

90. RubyGems.org 2025 forecast $1.4M budget ▪ $733k collected ▪ $385k

    committed ▪ $380k gap ▪ 51% is grant-based, non-recurring

91. RubyGems.org Corporate Sponsorship Program Path to sustainability Read more on

    RubyCentral.org

92. RubyGems.org Another approach? ▪ Give organizations an easier way to

    financially contribute ▪ Amounts of $2K to $5K annually ▪ Aim for volume of organizations ▪ Demonstrates broad support from community

93. RubyGems.org Sustainability Outlook ▪ Abandoned gems present risks ▪ Concern

    for oss contributor attrition ▪ Funding gap limits to lean budget, paused projects ▪ Need for sustainable funding model ▪ Intrigued by new potential funding approaches

94. RubyGems.org Going forward

95. RubyGems.org Are we poised to go another 20 years?

96. RubyGems.org Ruby is special, our community is a gift

97. RubyGems.org Which way should we go? ▪ Should we stay

    lean, do ‘just enough’? ▪ Or play a larger role and invest beyond RubyGems?

98. RubyGems.org How you can help ▪ Share what problems are

    you seeing ▪ What part of my message resonated with you? ▪ Spread awareness, make introductions ▪ I’d love to hear your ideas

99. RubyGems.org Thank You Ruby Central