Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

State of RubyGems 2024

Marty Haught
November 14, 2024
120

State of RubyGems 2024

Marty Haught

November 14, 2024
Tweet

Transcript

  1. RubyGems.org @segiddins ▪ Samuel Giddins ▪ RubyGems, Bundler, RubyGems.org maintainer

    ▪ Security Lead & Security Engineer in Residence ▪ 10+ year bug contributor Your intrepid presenter
  2. RubyGems.org RubyGems.org → Do you really know what’s in your

    software? → Software ate the world in 2011. → Software runs our lives, from our bank accounts to the power grid to delivering the memes keeping us entertained. Why Security
  3. RubyGems.org → Large enterprises now focus on security. → Small

    businesses have more liability when security incidents happen. → The US & EU governments are drafting legislation that makes ignoring cybersecurity a non-option. Why Security
  4. RubyGems.org Our Goal Keep Ruby the best and most pleasant

    language to use for projects of all sizes
  5. RubyGems.org In 2024, Security is a big part of the

    ecosystem. It’s not going away.
  6. RubyGems.org The alphabet soup isn’t fun → SLSA, CRA, SBOM,

    GUAC, oh my! → Trust me, I know as well as anyone → These schemes are must-haves → If Ruby isn’t an option for those who need to check the boxes, they be forced to leave the community
  7. RubyGems.org 12 Months of Security Residence ✓ Rolled out Trusted

    Publishing ✓ Responded to major supply chain incidents (xz) ✓ Built tooling to make that less miserable ✓ Wrote a sigstore ruby client ✓ Led response to a security audit ✓ Integrating sigstore into RubyGems & Bundler ✓ Contributed to cross-ecosystem goals for “modern” packaging ecosystems
  8. RubyGems.org 12 Months of Security Residence ✓ Extensive 🤔 Thought

    Leadership 🤔 in Open Source Software Supply Chain Security ✓ Plus everything else being a maintainer entails
  9. RubyGems.org Trusted Publishing → Publishing done via machine identities →

    GitHub Actions release workflows → No more maintaining long-lived creds! → Add to your gem today: → github.com/rubygems/configure_trusted_publisher → gem exec configure_trusted_publisher rubygem
  10. RubyGems.org Trusted Publishing → 2400 versions pushed → 349 distinct

    gems → Can we double that number of gems before we leave Chicago? → 261,640,877 downloads
  11. RubyGems.org Ecosystem Health [xz] → Index the content of every

    single gem → Surface security events so rubygems.org users & gem owners can audit → Reduce time to detection & time to declare all clear → More time for us to bring you exciting new features
  12. RubyGems.org Sigstore Making sure your software is what it claims

    to be. Cryptographically sound system that allows me to hand you a bundle saying: • github.com/sigstore/sigstore-ruby at tag v0.1.1, commit f106999, workflow release.yml • Built a file sigstore-ruby-0.1.1.gem with checksum 0c2c3c5d175b204252eeb1507bfb79e330009188d160525d2871b5272f958897
  13. RubyGems.org Sigstore Allows me to say: All my releases of

    sigstore-ruby should come from the sigstore-ruby repo
  14. RubyGems.org Security Audit → Performed by Trail of Bits →

    Funded by Alpha-Omega → In-depth retro on the RubyGems Blog in the next month! ✓ tl;dr: RubyGems.org is in good shape
  15. RubyGems.org Martin Emde • Rubyist since 2005 • Open Source

    Contributor (Rails, RubyGems, etc) • ~2 years on RubyGems team • Hire me? Contract? → cloudcity.io Principal Engineer @ Cloud City @[email protected]
  16. RubyGems.org RubyGems.org needed a refresh • Usability was suffering •

    Aging CSS, JavaScript, and patterns (BEM?) • Harder to add new features
  17. RubyGems.org “There was a whisper in the dark. The miners

    had begun the construction… It was all awfully exciting... – Mysterious Ruby Gem Miner
  18. RubyGems.org Managing gems as a team Your options: 1. Use

    1 account → share it very carefully (e.g. AWS) 2. Add everyone to all the gems (e.g. Rails) 3. Get Owner → Remove everyone else (e.g. “that guy”)
  19. RubyGems.org Maintainer Role • Like a miniature organization of 1

    gem. • Push gems without all that ”remove everyone.” • Owners can invite maintainers. • Available now: We trust you to be nice!
  20. RubyGems.org Goals for Organization Accounts • Opt-in • Don’t disrupt

    existing use cases • Manage multiple gems & people easily • Describe actions clearly before they happen
  21. RubyGems.org About Org Naming “We had to declare bankruptcy on

    manual organization name approvals. There were way too many. – Maintainers of PyPI (paraphrased)
  22. RubyGems.org Orgs are named after gems • The gem name

    “land rush” is over. • Most name rights battles are settled. There will be exceptions… … but we hope not as many.
  23. RubyGems.org Beta Testing Orgs at RubyConf 2024 Find me during

    Hack Day to get started. Disclaimer: Not for important production gems. This is an early beta.
  24. RubyGems.org Marty Haught • Rubyist since 2005 • Conference organizer,

    15+ years • Former board member of Ruby Central, 11 years • Engineering Director, Fastly, Hashicorp alum Director of Open Source @mghaught.bsky.social
  25. RubyGems.org Timeline ◎ 2004 RubyGems released, hosted on RubyForge ◎

    2009 GemCutter > RubyGems.org ◎ 2015 Ruby Together formed ◎ 2022 Ruby Together merged with Ruby Central ◎ 2023 Ruby Central forms the OSS Committee ◎ 2024 Ruby Central launches Open Source Program
  26. RubyGems.org Open Source Program Maintaining and improving critical infrastructure and

    tools for the Ruby ecosystem. Read more on RubyCentral.org
  27. RubyGems.org Our Mission To sustainably provide high-quality and secure infrastructure

    through RubyGems to reliably build Ruby software that enables businesses and our community to thrive. We are dedicated to supporting impactful open source projects on behalf of the Ruby community and fostering the growth of open source contributors to ensure the continuity of the Ruby ecosystem.
  28. RubyGems.org Our team Arun Agrawal David Rodríguez Colby Swandale André

    Arko Ellen Marie Dash Gift Egwuenu Irene Kannyo Marty Haught Martin Emde Josef Šimánek Samuel Giddins
  29. RubyGems.org Notable improvements ▪ Addressed MFA bypass CVE (CVE-2024-21654) ▪

    Bundler Lockfile Checksums ▪ Bundler auto_install enhancements ▪ Caching git gems ▪ Project-specific Gem Caches
  30. RubyGems.org Infrastructure improvements ▪ Kubernetes platform upgrade ▪ OpenSearch cluster

    upgrade allowing multi-AZ ▪ PostgreSQL 13 upgrade ▪ Datadog Cloud Security Management
  31. RubyGems.org Steady release cadence ▪ 24 releases of RubyGems and

    Bundler ▪ Every 2-4 weeks ▪ Quick turnaround on bug fixes
  32. RubyGems.org 24/7 on call rotation ▪ Added a secondary rotation

    to on call ▪ 100% uptime with no major outages ▪ Over 17000 hours of on call
  33. RubyGems.org Working groups OpenSSF ▪ Securing Software Repos ▪ Supply

    Chain Integrity Eclipse Foundation ▪ Open Regulatory Compliance European Cyber Resilience Act (CRA)
  34. RubyGems.org Foundation ▪ Service uptime ▪ Bug fixes, maintenance, security

    patches ▪ Regular release cadence ▪ Customer support The base for mission critical services
  35. RubyGems.org Security ▪ Supply chain security ▪ Cloud infrastructure controls

    ▪ Compliance ▪ Security working group For DevSecOps, Legal, Compliance
  36. RubyGems.org Stability ▪ Disaster recovery, regional failover ▪ Runbooks, systems

    documentation ▪ Streamlined cloud infrastructure For Ruby devs, build systems
  37. RubyGems.org Sustainability ▪ Recurring revenue ▪ Internal documentation, onboarding ▪

    Bringing in the next generation For us, so we can keep doing this
  38. RubyGems.org Developer funding ◎ 2003 RubyConf hacking == RubyGems ◎

    2004-14 Fully volunteer ◎ 2009 EngineYard funded 1 FTE for Bundler ◎ 2015-21 Ruby Together memberships funded 1/2 FTE ◎ 2022-24 Expanded program funding Shopify’s Ruby Shield, AWS, STF, Alpha Omega
  39. RubyGems.org Funding Sources ▪ Donated Services ▪ Memberships ▪ Corporate

    Sponsorships ▪ Program-specific Funding Partners