Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Evolution of Rails within RubyGems.org

Evolution of Rails within RubyGems.org

Avatar for Samuel E. Giddins

Samuel E. Giddins

July 08, 2025
Tweet

More Decks by Samuel E. Giddins

Other Decks in Technology

Transcript

  1. RubyGems.org @segiddins ▪ Samuel Giddins ▪ RubyGems, Bundler, RubyGems.org maintainer

    & security lead ▪ Security Engineer in Residence @ Ruby Central Today, on stage @qrush ▪ Nick Quaranto ▪ RubyGems.org / Gemcutter.org original author ▪ Director of Platform Engineering @ Wistia
  2. RubyGems.org • Currently serving 185,000+ gems (and counting) • Because

    someone has to store all those abandoned Rails engines Hosts all public facing gems you've downloaded with bundle install
  3. RubyGems.org • That's a lot of gem install coffee breaks

    • 99.9% uptime (we’ll talk about that one time…) Handles ~10 billion downloads per month
  4. RubyGems.org • Simple REST API that powers the Ruby ecosystem

    • Faster than explaining dependencies to your manager Provides the API that makes gem push work
  5. RubyGems.org • Owners of gem namespaces • Security scanning •

    Powering bundle update • Because ./setup.rb was never going to be sustainable Keeps your gems secure
  6. RubyGems.org • If it's not on RubyGems.org, does it even

    exist? • The place where good gems go to live forever ◦ (and the bad ones too) Serves as the central source of truth
  7. RubyGems.org Takeaway These changes are a reflection of how web

    app development has evolved over 15 years, not just in the Ruby or Rails worlds
  8. RubyGems.org Will Rails… • YES! • Rails apps can last,

    scale, and be sustainable • Build enduring software with Ruby that stands the test of time
  9. RubyGems.org RubyGems.org Today • Rails 8.0.2 • Ruby 3.4.4 •

    Bundler 2.6.9 • RubyGems 3.6.9 • Modern Rails app
  10. RubyGems.org What won’t change? • Databases • Well-factored business logic

    • Documentation, onboarding • Entity-based APIs • Human factors / Mental health challenges
  11. RubyGems.org • Frontend stacks • Deployment platforms • Web design

    What will change? • API specifics • Contributors involved • Test frameworks
  12. RubyGems.org Original RubyGems.org Principles • Provide a better API for

    dealing with gems • Create more transparent and accessible project pages • Enable the community to improve and enhance the site
  13. RubyGems.org • Handover to wider contributor group in ~2012 •

    Move from Heroku, Rackspace to AWS • Nick had kids and wound down involvement ◦ Answering dozens of support tickets, responding to pages/downtime not sustainable (sounds familiar!) • Lots more contributors helped out Time is a flat circle
  14. RubyGems.org Burnout! (at the disco) • Unpaid emotional labor •

    Always-on expectations • Lack of recognition and appreciation (see every HN post) • Financial sustainability challenges • Imposter syndrome and perfectionism
  15. RubyGems.org How not to burn out your contributors • Pay

    them ◦ No really, just pay them • Set boundaries • Invite them to speak at conferences 10 years later ◦ (thanks Ruby Central) • Don’t be a jerk
  16. RubyGems.org We Remember 󰞽 Chef 2011 - 2015 "You cooked

    up our infrastructure recipes, until Docker containerized our kitchen"
  17. RubyGems.org We Remember ☕ CoffeeScript 2011 - 2017 “We wouldn’t

    ever make this mistake again in this industry”
  18. RubyGems.org We Remember 📦 Vendored Gems Submodule 2009 - 2016

    “Someone please invent containers my git repo is dying”
  19. RubyGems.org • Web app with high traffic, much of it

    unauthenticated • All the normal surface area of a rails app • Reading & validating gems and (YAML) gemspecs and tarballs and gzipped files • Keeping rubygems & bundler users safe Security Isn’t Easy
  20. RubyGems.org Security Lessons • We’re a big target ◦ Luckily,

    no (major) left-pad style issues (yet) ◦ Plenty of other security issues regularly • Lots of expectations on a very public service • Needed some policies (Thanks Marty!)
  21. RubyGems.org • sferik • sonalkr132 • dwradcliffe • evanphx •

    simi • samkottler Shoutout to Maintainers over the years • arthurnn • hsbt • indirect • jenshenny • martinemde • + so many others!!
  22. RubyGems.org Hot off the presses • Make operating rubygems.org easier

    ◦ Admin Panel ◦ PagerDuty rotation ◦ Observability (Datadog, CloudWatch) ◦ Terraform for AWS / Fastly resources / DNS • Policies
  23. RubyGems.org 2025 and beyond • Preview from the 2025 OSS

    Public Roadmap • Gem contents browser ◦ Version diff • Hosting vuln advisory db for gems • Changing yanking (again)
  24. RubyGems.org How to Contribute • 💻 Code Contributions • 📝

    Documentation • 🎨 Design & UX • 💰 Support Ruby Central
  25. RubyGems.org How to Contribute: 💻 Code Contributions • Fix bugs

    tagged good first issue • Improve test coverage • Refactor confusing code • Help adopt the latest Rails features • Performance optimizations
  26. RubyGems.org How to Contribute: 📝 Documentation • Update API documentation

    • Contribute to guides.rubygems.org • Anything you found confusing, others will too
  27. RubyGems.org How to Contribute: 🎨 Design & UX • Help

    roll out new design system • Improve accessibility • Mobile responsiveness • Flex your Figma • Help with Ian's pretty designs!
  28. RubyGems.org How to Contribute: 🚀 Getting Started • Clone github.com/rubygems/rubygems.org

    • Check out CONTRIBUTING.md for setup instructions • Join #rubygems-org on Bundler Slack for questions • Run the app & tests locally ◦ It’s a Rails app, you got this! • Join us tomorrow @ Hack Spaces
  29. RubyGems.org Lessons / Takeaways part 2 • Most OSS projects

    don’t last 16+ years! • Funding for the long run, and a service that must be operational forever, is even harder • Focus on what will change instead of what won’t • Say thanks to those who help out
  30. RubyGems.org Thank you!! Nick Quaranto Creator RubyGems.org Samuel Giddins Security

    Engineer in Residence Funded by RubyGems.org Thanks also
  31. RubyGems.org Sigstore • Answers: “where does this gem come from”

    • What commit, what repo, when • Cryptographically verifiable • Future: basis for policies around what gems to install
  32. RubyGems.org What is a Sigstore Client? A sigstore client can

    be summarized as two functions: • A function that verifies an artifact + sigstore bundle against a trusted root • A function that signs an artifact against a trusted root
  33. RubyGems.org RubyGems.org What is a Sigstore? Software safety, integrated A

    combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale.
  34. RubyGems.org RubyGems.org What is a Sigstore? → A TUF repository

    to serve the trusted root → A service that issues signing certs based on OIDC tokens → Don’t forget the CT Log! → A service that records handwaves in a transparency log → A bundle format that has artifacts from all of the above
  35. RubyGems.org Above all, Sigstore is a cryptosystem that we’re going

    to use to build trust for software artifacts. So it’s important we get it right.
  36. RubyGems.org RubyGems.org Professor ChatGPT why is writing a sigstore client

    from scratch so difficult Writing a Sigstore client from scratch can be quite difficult for several reasons, primarily due to the complexity of the underlying cryptographic protocols, integration with various services, and handling security concerns. Here's a breakdown of the challenges you might face: 1. Complexity of the Sigstore Protocol 2. Cryptographic Foundations 3. Interfacing with Sigstore Services 4. Security Considerations 5. Integration with Other Tools 6. API Design and Usability 7. Testing and Debugging
  37. RubyGems.org sigstore-ruby implementation goals • Pure Ruby implementation of both

    signing & verification flows • 100% vendorable inside of RubyGems & Bundler ◦ And by extension, all Ruby distributions themselves • Don’t trust Sam to write novel cryptography code
  38. RubyGems.org What is “Pure Ruby” • Only ISO Ruby •

    Only Ruby runnable with miniruby • Only the stdlib • Only the stdlib + bundled gems • What about jruby, truffleruby, ruby on wasm, etc.?
  39. RubyGems.org What is “Pure Ruby” MRI 3.2+ (non-EOL) Latest JRuby

    Latest TruffleRuby Stdlib + Default + Bundled Gems
  40. RubyGems.org “Pure Ruby” is still hard • Industry standard libraries

    are still (mostly) written in C • Ruby stdlib primitives are largely implemented in native code • Every layer of wrappers leads to increased impedance mismatches • Supporting old rubies + multiple implementations means even less can be taken for granted
  41. RubyGems.org Why not a rust wrapper? • Dependency on compiling

    native code is a no-go for language-level dependency • Need to be able to update sigstore-ruby outside of ruby releases • WASM, JVM, etc. • “Rewrite it in Rust” isn’t a panacea
  42. RubyGems.org An end-to-end sigstore verification flow does a lot! •

    TUF ◦ Repository refresh ◦ Target download • Read bundle JSON & validate bundle • Hash artifact • Establish a trusted source of time • Perform x509 path validation • Perform signed certificate timestamp validation • Verify inclusion of the log entry in the transparency log • Verify the certificate against a policy • Verify signatures against the artifact & signing certificate • Ensure consistency between DSSE payload & policy & signing cert • 󰛢
  43. RubyGems.org The guarantee of all those pieces working are the

    responsibility of the client implementor. … me.
  44. RubyGems.org RubyGems.org Primitives → Protobuf (but only JSON) → RSA

    / ECDSA / Ed25519 → X509 → RFC3161 → Signed notes → Merkle trees → 2x JSON Canonicalization
  45. RubyGems.org RubyGems.org Signing Primitives → OIDC / JWTs → Key

    generation → More X509 → RFC3161 timestamp creation → Signature creation → Speaking hashedrekord / DSSE + intoto + SLSA + ACRONYM SOUP → Rekor & Fulcio HTTP Clients
  46. RubyGems.org That’s a lot of primitives to assume every language

    is going to have available. & Documented. & Functioning properly. & Secure.
  47. RubyGems.org → Wrapper around openssl → Multiple openssl versions →

    Ed25519 support? Sometimes! → Missing functionality → Basic querying about cert properties → Mixing up extension OIDs and short names → tbs_precert bytes → SCT validation → rfc3161 validation at a given timestamp RubyGems.org openssl gem
  48. RubyGems.org RubyGems.org → bouncycastle-based implementation of the openssl API →

    Broken X509 path validation with intermediary CAs → Missing Ed25519 support → Missing public key der export → … plus everything else missing from the C-ruby gem jruby- openssl
  49. RubyGems.org RubyGems.org From b97e5ad62dd948631e76208a3541a3a246d81abe Mon Sep 17 00:00:00 2001 From:

    Samuel Giddins <[email protected]> Date: Tue, 3 Dec 2024 13:07:54 -0600 Subject: [PATCH] Re-implement missing jruby functionality atop java.security Signed-off-by: Samuel Giddins <[email protected]> --- .github/workflows/ci.yml | 15 ++-- .github/workflows/release.yml | 4 +- .gitignore | 1 + Rakefile | 12 +++- lib/sigstore/internal/key.rb | 4 -- lib/sigstore/internal/x509.rb | 110 ++++++++++++++++++++++------- lib/sigstore/policy.rb | 12 +++- lib/sigstore/signer.rb | 23 +++--- lib/sigstore/trusted_root.rb | 14 ++-- lib/sigstore/verifier.rb | 37 ++++------ test/sigstore/trusted_root_test.rb | 8 ++- 11 files changed, 154 insertions(+), 86 deletions(-) jruby- openssl
  50. RubyGems.org RubyGems.org → X509 wrapper to allow querying cert properties

    & typed extension values → RFC8785 JSON Canonicalization → X509 tbs_certificate_der → SCTs in general → rfc3161 support for arbitrary validation times → DSSE validation sigstore- ruby
  51. RubyGems.org How did this get so complicated? Sigstore is the

    amalgamation of multiple different systems • X509 for PKI • TUF for trusted material distribution • Merkle trees for transparency log inclusion • Signed notes for checkpoints
  52. RubyGems.org How did this get so complicated? Sigstore is the

    amalgamation of multiple different systems … which have a lot of configuration points
  53. RubyGems.org The point of building these sigstore clients is to

    use them in our various software ecosystems.
  54. RubyGems.org RubyGems.org Everything got a little bit better in 2024

    → sigstore-conformance → tuf-conformance → Edited sigstore client doc → Convergence between different independent implementations → Mock sigstore implementations for testing → William Woodruff saved the day more times than I could count
  55. RubyGems.org We’ve learned about building sigstore clients from scratch. Things

    will be clearer & easier as we continue evolving: Prototype⇒Early Adopters⇒Critical System
  56. RubyGems.org Security • Hackerone and Rails security best practices ◦

    HN hack when Nick was on a bus (2012?) ◦ RubyGems 1/30/13 Incident Status ◦ Rubygems Trust Model ◦ Gem Yanking ◦ HTTPS • Current challenges ◦ Sigstore? ◦ H1 • Lessons ◦ We’re a big target ◦ Lots of expectations on a very public service ◦ Need some policies (Thanks Marty)
  57. RubyGems.org No, seriously • Something insightful • Another thing to

    take home • GIFs are still funny? • Narrative re startups today ◦ Rails apps can last, scale, and be sustainable ◦ Build enduring software • Focus on what can change / (wont change?) ◦ Probably will change: frontend stacks ◦ Won’t: databases, well factored code + biz logic • Talk through what has/ what hasn’t changed • Lapidary: The Art of Gemcutting - Speaker Deck
  58. RubyGems.org A history lesson / timeline • BEFORE (rubyforge, etc)

    timeline • Start from rubyconf when Rubygems was first born • RubyForge • GitHub gems • Gemcutter genesis (2009)
  59. RubyGems.org Cccccchanges • Originally… 2 sinatra apps! ◦ Moved to

    Rails in … (remember when) • Internal dependencies (Bundler exists because of Rails) ◦ https:/ /blog.rubygems.org/2015/02/01/rewriting-history.html • Frontend js story ◦ No current frontend builder/typescript currently ◦ Remember sass? • Designs (screenshots from archive.org) ◦ Original ◦ Dockyard redesign https:/ /dockyard.com/blog/2014/11/18/rubygems-redesign • Tests ◦ Rspec/Cucumber ◦ System/integration tests ◦ Current state
  60. RubyGems.org Architecture Changes • Vendored Gems • Frontend JS ◦

    No current frontend builder/typescript currently ◦ Remember SASS?
  61. RubyGems.org Stats bragging (2025 edition) • 250B downloads • User

    growth • Rubygem growth / # of packages • Top 10 gems over time (possibly animated) • Bundler usage • Sources: • https:/ /stats.rubygems.org/ • Clickhouse
  62. RubyGems.org Community Changes • IRC channels • Boston RB contributions

    / RailsCamp hacking • How people contributed in Gemcutter era - RubyCentral takeover • Evolution of contributing (cool commit map here?)