State of RubyGems 2024

Transcript

1. RubyGems.org State of RubyConf Chicago, 2024 RubyGems Samuel Giddins Martin

   Emde Marty Haught

2. RubyGems.org @segiddins ▪ Samuel Giddins ▪ RubyGems, Bundler, RubyGems.org maintainer

   ▪ Security Lead & Security Engineer in Residence ▪ 10+ year bug contributor Your intrepid presenter

3. RubyGems.org Welcome to SigstoreCon 2024 in Utah!

4. RubyGems.org Welcome to my wedding in Chicago! … that’s not

   it either

5. RubyGems.org Why does Ruby Central have a Security Engineer?

6. RubyGems.org RubyGems.org → Do you really know what’s in your

   software? → Software ate the world in 2011. → Software runs our lives, from our bank accounts to the power grid to delivering the memes keeping us entertained. Why Security

7. RubyGems.org → Large enterprises now focus on security. → Small

   businesses have more liability when security incidents happen. → The US & EU governments are drafting legislation that makes ignoring cybersecurity a non-option. Why Security

8. RubyGems.org Make security as easy as possible for the Ruby

   community My Job

9. RubyGems.org Our Goal Keep Ruby the best and most pleasant

   language to use for projects of all sizes

10. RubyGems.org In 2024, Security is a big part of the

    ecosystem. It’s not going away.

11. RubyGems.org The alphabet soup isn’t fun → SLSA, CRA, SBOM,

    GUAC, oh my! → Trust me, I know as well as anyone → These schemes are must-haves → If Ruby isn’t an option for those who need to check the boxes, they be forced to leave the community

12. RubyGems.org 12 Months of Security Residence ✓ Rolled out Trusted

    Publishing ✓ Responded to major supply chain incidents (xz) ✓ Built tooling to make that less miserable ✓ Wrote a sigstore ruby client ✓ Led response to a security audit ✓ Integrating sigstore into RubyGems & Bundler ✓ Contributed to cross-ecosystem goals for “modern” packaging ecosystems

13. RubyGems.org 12 Months of Security Residence ✓ Extensive 🤔 Thought

    Leadership 🤔 in Open Source Software Supply Chain Security ✓ Plus everything else being a maintainer entails

14. RubyGems.org Trusted Publishing → Publishing done via machine identities →

    GitHub Actions release workflows → No more maintaining long-lived creds! → Add to your gem today: → github.com/rubygems/configure_trusted_publisher → gem exec configure_trusted_publisher rubygem

15. RubyGems.org Trusted Publishing → 2400 versions pushed → 349 distinct

    gems → Can we double that number of gems before we leave Chicago? → 261,640,877 downloads

16. RubyGems.org Released with Trusted Publishing

17. RubyGems.org Ecosystem Health [xz] → Index the content of every

    single gem → Surface security events so rubygems.org users & gem owners can audit → Reduce time to detection & time to declare all clear → More time for us to bring you exciting new features

18. RubyGems.org Sigstore Making sure your software is what it claims

    to be. Cryptographically sound system that allows me to hand you a bundle saying: • github.com/sigstore/sigstore-ruby at tag v0.1.1, commit f106999, workflow release.yml • Built a file sigstore-ruby-0.1.1.gem with checksum 0c2c3c5d175b204252eeb1507bfb79e330009188d160525d2871b5272f958897

19. RubyGems.org Sigstore Allows me to say: All my releases of

    sigstore-ruby should come from the sigstore-ruby repo

20. RubyGems.org Sigstore Eventually: Every gem I depend on named aws-*

    needs to be an official AWS gem

21. RubyGems.org Security Audit → Performed by Trail of Bits →

    Funded by Alpha-Omega → In-depth retro on the RubyGems Blog in the next month! ✓ tl;dr: RubyGems.org is in good shape

22. RubyGems.org I would love nothing more than to spend the

    next hour going into more detail.

23. RubyGems.org Please come say hi and discuss Ruby & RubyGems

    Security this week.

24. RubyGems.org On to my much more talented & well-rested teammates!

25. RubyGems.org Martin Emde • Rubyist since 2005 • Open Source

    Contributor (Rails, RubyGems, etc) • ~2 years on RubyGems team • Hire me? Contract? → cloudcity.io Principal Engineer @ Cloud City @[email protected]

26. RubyGems.org New Design for RubyGems.org

27. RubyGems.org RubyGems.org needed a refresh • Usability was suffering •

    Aging CSS, JavaScript, and patterns (BEM?) • Harder to add new features

28. RubyGems.org RubyGems.org New Design!

29. RubyGems.org RubyGems.org New Design!?

30. RubyGems.org RubyGems.org New Design? … Hmm

31. RubyGems.org RubyGems.org New Design? … Hmm Where?

32. RubyGems.org RubyGems.org New Design? … oh my

33. RubyGems.org “There was a whisper in the dark. The miners

    had begun the construction… It was all awfully exciting... – Mysterious Ruby Gem Miner

34. RubyGems.org RubyGems.org New Design!

35. RubyGems.org RubyGems.org Dark Mode! For the first time on RubyGems!

36. RubyGems.org Waiting is not easy The new design is not

    (all) here yet…

37. RubyGems.org Wayback in Design History

38. RubyGems.org RubyGems.org Wayback Dec 2014 Released ~Nov 2014 (10yrs ago)

39. RubyGems.org RubyGems.org Wayback Nov 2010 32 million downloads! (165 Billion

    now)

40. RubyGems.org RubyGems.org Wayback 2007 Nostalgic bliss

41. RubyGems.org RubyGems.org OG Dark Mode! We already had a dark

    mode! (a miner mistake) 😎

42. RubyGems.org Organization Accounts

43. RubyGems.org Managing gems as a team Your options: 1. Use

    1 account → share it very carefully (e.g. AWS) 2. Add everyone to all the gems (e.g. Rails) 3. Get Owner → Remove everyone else (e.g. “that guy”)

44. RubyGems.org Maintainer Role • Like a miniature organization of 1

    gem. • Push gems without all that ”remove everyone.” • Owners can invite maintainers. • Available now: We trust you to be nice!

45. RubyGems.org RubyGems.org Organiz- ations …is a long word

46. RubyGems.org Goals for Organization Accounts • Opt-in • Don’t disrupt

    existing use cases • Manage multiple gems & people easily • Describe actions clearly before they happen

47. RubyGems.org About Org Naming “We had to declare bankruptcy on

    manual organization name approvals. There were way too many. – Maintainers of PyPI (paraphrased)

48. RubyGems.org Orgs are named after gems • The gem name

    “land rush” is over. • Most name rights battles are settled. There will be exceptions… … but we hope not as many.

49. RubyGems.org RubyGems.org Name Your Org

50. RubyGems.org RubyGems.org Pick Gems

51. RubyGems.org RubyGems.org Add People

52. RubyGems.org Beta Testing Orgs at RubyConf 2024 Find me during

    Hack Day to get started. Disclaimer: Not for important production gems. This is an early beta.

53. RubyGems.org Open Source Program

54. RubyGems.org Marty Haught • Rubyist since 2005 • Conference organizer,

    15+ years • Former board member of Ruby Central, 11 years • Engineering Director, Fastly, Hashicorp alum Director of Open Source @mghaught.bsky.social

55. RubyGems.org Time for history

56. RubyGems.org Timeline ◎ 2004 RubyGems released, hosted on RubyForge ◎

    2009 GemCutter > RubyGems.org ◎ 2015 Ruby Together formed ◎ 2022 Ruby Together merged with Ruby Central ◎ 2023 Ruby Central forms the OSS Committee ◎ 2024 Ruby Central launches Open Source Program

57. RubyGems.org OSS Committee purpose ▪ Oversight and governance ▪ Strategic

    guidance ▪ Community engagement

58. RubyGems.org Committee members Gabi Stefanini Mike Dalessio Ufuk Kayserilioglu

59. RubyGems.org Open Source Program Maintaining and improving critical infrastructure and

    tools for the Ruby ecosystem. Read more on RubyCentral.org

60. RubyGems.org Our Mission To sustainably provide high-quality and secure infrastructure

    through RubyGems to reliably build Ruby software that enables businesses and our community to thrive. We are dedicated to supporting impactful open source projects on behalf of the Ruby community and fostering the growth of open source contributors to ensure the continuity of the Ruby ecosystem.

61. RubyGems.org Our projects RubyGems.org RubyGems Bundler The Ruby Toolbox RubyAPI

    Gemstash

62. RubyGems.org Our team Arun Agrawal David Rodríguez Colby Swandale André

    Arko Ellen Marie Dash Gift Egwuenu Irene Kannyo Marty Haught Martin Emde Josef Šimánek Samuel Giddins

63. RubyGems.org 2024 Report

64. RubyGems.org Our annual report

65. RubyGems.org Notable improvements ▪ Addressed MFA bypass CVE (CVE-2024-21654) ▪

    Bundler Lockfile Checksums ▪ Bundler auto_install enhancements ▪ Caching git gems ▪ Project-specific Gem Caches

66. RubyGems.org Infrastructure improvements ▪ Kubernetes platform upgrade ▪ OpenSearch cluster

    upgrade allowing multi-AZ ▪ PostgreSQL 13 upgrade ▪ Datadog Cloud Security Management

67. RubyGems.org Steady release cadence ▪ 24 releases of RubyGems and

    Bundler ▪ Every 2-4 weeks ▪ Quick turnaround on bug fixes

68. RubyGems.org 24/7 on call rotation ▪ Added a secondary rotation

    to on call ▪ 100% uptime with no major outages ▪ Over 17000 hours of on call

69. RubyGems.org Working groups OpenSSF ▪ Securing Software Repos ▪ Supply

    Chain Integrity Eclipse Foundation ▪ Open Regulatory Compliance European Cyber Resilience Act (CRA)

70. RubyGems.org 2025 roadmap

71. RubyGems.org DevX Security Stability Sustainability

72. RubyGems.org Foundation ▪ Service uptime ▪ Bug fixes, maintenance, security

    patches ▪ Regular release cadence ▪ Customer support The base for mission critical services

73. RubyGems.org DevX ▪ Organizations ▪ Namespaces ▪ Improved documentation Aiding

    your dev tooling team

74. RubyGems.org Security ▪ Supply chain security ▪ Cloud infrastructure controls

    ▪ Compliance ▪ Security working group For DevSecOps, Legal, Compliance

75. RubyGems.org Stability ▪ Disaster recovery, regional failover ▪ Runbooks, systems

    documentation ▪ Streamlined cloud infrastructure For Ruby devs, build systems

76. RubyGems.org Sustainability ▪ Recurring revenue ▪ Internal documentation, onboarding ▪

    Bringing in the next generation For us, so we can keep doing this

77. RubyGems.org How should critical open source infrastructure be funded?

78. RubyGems.org Time for history

79. RubyGems.org Infrastructure funding ▪ Conference proceeds ▪ Donated services

80. RubyGems.org Developer funding ◎ 2003 RubyConf hacking == RubyGems ◎

    2004-14 Fully volunteer ◎ 2009 EngineYard funded 1 FTE for Bundler ◎ 2015-21 Ruby Together memberships funded 1/2 FTE ◎ 2022-24 Expanded program funding Shopify’s Ruby Shield, AWS, STF, Alpha Omega

81. RubyGems.org Funding Sources ▪ Donated Services ▪ Memberships ▪ Corporate

    Sponsorships ▪ Program-specific Funding Partners

82. RubyGems.org Donated Services

83. RubyGems.org 2024 funding partners

84. RubyGems.org 2024 Funding 15.3% 7.8% 15.1% 61.9% Program-specific Donated services

    Memberships Corporate

85. RubyGems.org Corporate Sponsorship Program Our path to sustainability Read more

    on RubyCentral.org

86. RubyGems.org How should critical open source infrastructure be funded?

87. RubyGems.org Join our team ▪ Security Engineer ▪ Infrastructure Engineer

    … sometime in 2025

88. RubyGems.org Continue making Ruby Awesome

89. RubyGems.org Thank You RubyGems Hack with us tomorrow on Sponsored

    by