Evolution of Rails within RubyGems.org

Transcript

1. RubyGems.org Evolution of Rails within RubyGems.org (The Last) RailsConf 2025

   Samuel Giddins & Nick Quaranto

2. RubyGems.org @segiddins ▪ Samuel Giddins ▪ RubyGems, Bundler, RubyGems.org maintainer

   & security lead ▪ Security Engineer in Residence @ Ruby Central Today, on stage @qrush ▪ Nick Quaranto ▪ RubyGems.org / Gemcutter.org original author ▪ Director of Platform Engineering @ Wistia

3. RubyGems.org What does RubyGems.org do anyway?

4. RubyGems.org What does RubyGems.org do anyway? RubyGems.org is the beating

   heart of Ruby and Rails.

5. RubyGems.org • Currently serving 185,000+ gems (and counting) • Because

   someone has to store all those abandoned Rails engines Hosts all public facing gems you've downloaded with bundle install

6. RubyGems.org • That's a lot of gem install coffee breaks

   • 99.9% uptime (we’ll talk about that one time…) Handles ~10 billion downloads per month

7. RubyGems.org • Simple REST API that powers the Ruby ecosystem

   • Faster than explaining dependencies to your manager Provides the API that makes gem push work

8. RubyGems.org • Owners of gem namespaces • Security scanning •

   Powering bundle update • Because ./setup.rb was never going to be sustainable Keeps your gems secure

9. RubyGems.org • If it's not on RubyGems.org, does it even

   exist? • The place where good gems go to live forever ◦ (and the bad ones too) Serves as the central source of truth

10. RubyGems.org What we want you to learn in this talk

    RUBYGEMS

11. RubyGems.org Takeaway These changes are a reflection of how web

    app development has evolved over 15 years, not just in the Ruby or Rails worlds

12. RubyGems.org Will Rails… • YES! • Rails apps can last,

    scale, and be sustainable • Build enduring software with Ruby that stands the test of time

13. RubyGems.org RubyGems.org Today • Rails 8.0.2 • Ruby 3.4.4 •

    Bundler 2.6.9 • RubyGems 3.6.9 • Modern Rails app

14. RubyGems.org What won’t change? • Databases • Well-factored business logic

    • Documentation, onboarding • Entity-based APIs • Human factors / Mental health challenges

15. RubyGems.org • Frontend stacks • Deployment platforms • Web design

    What will change? • API specifics • Contributors involved • Test frameworks

16. RubyGems.org Original RubyGems.org Principles • Provide a better API for

    dealing with gems • Create more transparent and accessible project pages • Enable the community to improve and enhance the site

17. RubyGems.org Timeline

18. RubyGems.org RubyForge (2003-2014)

19. RubyGems.org GitHub Gems (2008-2010ish)

20. RubyGems.org Gemcutter.org 2009 -“CSS is awesome”

21. RubyGems.org Gemcutter.org 2010 - Sick gradients!

22. RubyGems.org Gemcutter RubyGems.org (2012-*)

23. RubyGems.org RubyGems.org (2014 design)

24. RubyGems.org RubyGems.org (2025 design)

25. RubyGems.org • Handover to wider contributor group in ~2012 •

    Move from Heroku, Rackspace to AWS • Nick had kids and wound down involvement ◦ Answering dozens of support tickets, responding to pages/downtime not sustainable (sounds familiar!) • Lots more contributors helped out Time is a flat circle

26. RubyGems.org Burnout! (at the disco) • Unpaid emotional labor •

    Always-on expectations • Lack of recognition and appreciation (see every HN post) • Financial sustainability challenges • Imposter syndrome and perfectionism

27. RubyGems.org How not to burn out your contributors • Pay

    them ◦ No really, just pay them • Set boundaries • Invite them to speak at conferences 10 years later ◦ (thanks Ruby Central) • Don’t be a jerk

28. RubyGems.org Stats bragging (2011 edition)

29. RubyGems.org Stats bragging (2025 edition)

30. RubyGems.org Packages uninstalled, never forgotten IN MEMORIAM

31. RubyGems.org We Remember 🥒 Cucumber 2009 - 2012 “Scenario: You

    wrote a test”

32. RubyGems.org We Remember 🎨 SASS 2009 - 2020 “Not Software

    As a Service”

33. RubyGems.org We Remember 󰞽 Chef 2011 - 2015 "You cooked

    up our infrastructure recipes, until Docker containerized our kitchen"

34. RubyGems.org We Remember 🚛 SCP Deploys 2009 - 2014 “How

    did this ever work?”

35. RubyGems.org We Remember ☕ CoffeeScript 2011 - 2017 “We wouldn’t

    ever make this mistake again in this industry”

36. RubyGems.org We Remember 🐕 Mongrel 2009 - 2012 “The original

    animal Ruby webserver”

37. RubyGems.org We Remember 🦄 Unicorn 2012 - 2023 “Making every

    developer learn what SIGHUP is”

38. RubyGems.org We Remember ⏰ DelayedJob 2009 - 2021 “Now in

    the dead queue”

39. RubyGems.org We Remember 🚉 Heroku 2009 - 2013 “Bump the

    dynos”

40. RubyGems.org We Remember 📦 Vendored Gems Submodule 2009 - 2016

    “Someone please invent containers my git repo is dying”

41. RubyGems.org Security

42. RubyGems.org

43. RubyGems.org Security Isn’t Easy gemspec

44. RubyGems.org • Web app with high traffic, much of it

    unauthenticated • All the normal surface area of a rails app • Reading & validating gems and (YAML) gemspecs and tarballs and gzipped files • Keeping rubygems & bundler users safe Security Isn’t Easy

45. RubyGems.org Security Current Challenges • Sigstore • Trust Model •

    HackerOne • Scanning packages for exploits

46. RubyGems.org Security Lessons • We’re a big target ◦ Luckily,

    no (major) left-pad style issues (yet) ◦ Plenty of other security issues regularly • Lots of expectations on a very public service • Needed some policies (Thanks Marty!)

47. RubyGems.org Deployment

48. RubyGems.org

49. RubyGems.org

50. RubyGems.org Community

51. RubyGems.org https:/ /www.flickr.com/photos/freelancing_god/4224710238/in/photostream/ RailsCamp 2009

52. RubyGems.org IRC era https:/ /freenode.catirclogs.org/

53. RubyGems.org This hasn’t changed

54. RubyGems.org ~500 Contributors!

55. RubyGems.org • sferik • sonalkr132 • dwradcliffe • evanphx •

    simi • samkottler Shoutout to Maintainers over the years • arthurnn • hsbt • indirect • jenshenny • martinemde • + so many others!!

56. RubyGems.org Hot off the presses • Make operating rubygems.org easier

    ◦ Admin Panel ◦ PagerDuty rotation ◦ Observability (Datadog, CloudWatch) ◦ Terraform for AWS / Fastly resources / DNS • Policies

57. RubyGems.org 2025 and beyond • Preview from the 2025 OSS

    Public Roadmap • Gem contents browser ◦ Version diff • Hosting vuln advisory db for gems • Changing yanking (again)

58. RubyGems.org Contribute to RubyGems.org

59. RubyGems.org

60. RubyGems.org How to Contribute • 💻 Code Contributions • 📝

    Documentation • 🎨 Design & UX • 💰 Support Ruby Central

61. RubyGems.org How to Contribute: 💻 Code Contributions • Fix bugs

    tagged good first issue • Improve test coverage • Refactor confusing code • Help adopt the latest Rails features • Performance optimizations

62. RubyGems.org How to Contribute: 📝 Documentation • Update API documentation

    • Contribute to guides.rubygems.org • Anything you found confusing, others will too

63. RubyGems.org How to Contribute: 🎨 Design & UX • Help

    roll out new design system • Improve accessibility • Mobile responsiveness • Flex your Figma • Help with Ian's pretty designs!

64. RubyGems.org How to Contribute: 🚀 Getting Started • Clone github.com/rubygems/rubygems.org

    • Check out CONTRIBUTING.md for setup instructions • Join #rubygems-org on Bundler Slack for questions • Run the app & tests locally ◦ It’s a Rails app, you got this! • Join us tomorrow @ Hack Spaces

65. RubyGems.org Lessons / Takeaways part 2 • Most OSS projects

    don’t last 16+ years! • Funding for the long run, and a service that must be operational forever, is even harder • Focus on what will change instead of what won’t • Say thanks to those who help out

66. RubyGems.org Sponsors

67. RubyGems.org Thank you!! Nick Quaranto Creator RubyGems.org Samuel Giddins Security

    Engineer in Residence Funded by RubyGems.org Thanks also

68. RubyGems.org Disclaimer

69. RubyGems.org

70. RubyGems.org

71. RubyGems.org Sigstore • Answers: “where does this gem come from”

    • What commit, what repo, when • Cryptographically verifiable • Future: basis for policies around what gems to install

72. RubyGems.org What is a Sigstore Client? A sigstore client can

    be summarized as two functions: • A function that verifies an artifact + sigstore bundle against a trusted root • A function that signs an artifact against a trusted root

73. RubyGems.org … those functions are complicated

74. RubyGems.org RubyGems.org What is a Sigstore? Software safety, integrated A

    combination of technologies to handle signing, verification and provenance checks that respect privacy and work at scale.

75. RubyGems.org RubyGems.org What is a Sigstore? → A TUF repository

    to serve the trusted root → A service that issues signing certs based on OIDC tokens → Don’t forget the CT Log! → A service that records handwaves in a transparency log → A bundle format that has artifacts from all of the above

76. RubyGems.org Above all, Sigstore is a cryptosystem that we’re going

    to use to build trust for software artifacts. So it’s important we get it right.

77. RubyGems.org RubyGems.org Professor ChatGPT why is writing a sigstore client

    from scratch so difficult Writing a Sigstore client from scratch can be quite difficult for several reasons, primarily due to the complexity of the underlying cryptographic protocols, integration with various services, and handling security concerns. Here's a breakdown of the challenges you might face: 1. Complexity of the Sigstore Protocol 2. Cryptographic Foundations 3. Interfacing with Sigstore Services 4. Security Considerations 5. Integration with Other Tools 6. API Design and Usability 7. Testing and Debugging

78. RubyGems.org sigstore-ruby implementation goals • Pure Ruby implementation of both

    signing & verification flows • 100% vendorable inside of RubyGems & Bundler ◦ And by extension, all Ruby distributions themselves • Don’t trust Sam to write novel cryptography code

79. RubyGems.org What is “Pure Ruby” • Only ISO Ruby •

    Only Ruby runnable with miniruby • Only the stdlib • Only the stdlib + bundled gems • What about jruby, truffleruby, ruby on wasm, etc.?

80. RubyGems.org What is “Pure Ruby” MRI 3.2+ (non-EOL) Latest JRuby

    Latest TruffleRuby Stdlib + Default + Bundled Gems

81. RubyGems.org “Pure Ruby” is still hard • Industry standard libraries

    are still (mostly) written in C • Ruby stdlib primitives are largely implemented in native code • Every layer of wrappers leads to increased impedance mismatches • Supporting old rubies + multiple implementations means even less can be taken for granted

82. RubyGems.org Why not a rust wrapper? • Dependency on compiling

    native code is a no-go for language-level dependency • Need to be able to update sigstore-ruby outside of ruby releases • WASM, JVM, etc. • “Rewrite it in Rust” isn’t a panacea

83. RubyGems.org First line of code: February First release: October First

    production usage: November

84. RubyGems.org An end-to-end sigstore verification flow does a lot! •

    TUF ◦ Repository refresh ◦ Target download • Read bundle JSON & validate bundle • Hash artifact • Establish a trusted source of time • Perform x509 path validation • Perform signed certificate timestamp validation • Verify inclusion of the log entry in the transparency log • Verify the certificate against a policy • Verify signatures against the artifact & signing certificate • Ensure consistency between DSSE payload & policy & signing cert • 󰛢

85. RubyGems.org The guarantee of all those pieces working are the

    responsibility of the client implementor. … me.

86. RubyGems.org RubyGems.org Primitives → Protobuf (but only JSON) → RSA

    / ECDSA / Ed25519 → X509 → RFC3161 → Signed notes → Merkle trees → 2x JSON Canonicalization

87. RubyGems.org RubyGems.org Signing Primitives → OIDC / JWTs → Key

    generation → More X509 → RFC3161 timestamp creation → Signature creation → Speaking hashedrekord / DSSE + intoto + SLSA + ACRONYM SOUP → Rekor & Fulcio HTTP Clients

88. RubyGems.org That’s a lot of primitives to assume every language

    is going to have available. & Documented. & Functioning properly. & Secure.

89. RubyGems.org RubyGems.org Ruby Stdlib → openssl gem → That’s it

    for cryptographic primitives → JSON

90. RubyGems.org → Wrapper around openssl → Multiple openssl versions →

    Ed25519 support? Sometimes! → Missing functionality → Basic querying about cert properties → Mixing up extension OIDs and short names → tbs_precert bytes → SCT validation → rfc3161 validation at a given timestamp RubyGems.org openssl gem

91. RubyGems.org RubyGems.org → bouncycastle-based implementation of the openssl API →

    Broken X509 path validation with intermediary CAs → Missing Ed25519 support → Missing public key der export → … plus everything else missing from the C-ruby gem jruby- openssl

92. RubyGems.org RubyGems.org From b97e5ad62dd948631e76208a3541a3a246d81abe Mon Sep 17 00:00:00 2001 From:

    Samuel Giddins <[email protected]> Date: Tue, 3 Dec 2024 13:07:54 -0600 Subject: [PATCH] Re-implement missing jruby functionality atop java.security Signed-off-by: Samuel Giddins <[email protected]> --- .github/workflows/ci.yml | 15 ++-- .github/workflows/release.yml | 4 +- .gitignore | 1 + Rakefile | 12 +++- lib/sigstore/internal/key.rb | 4 -- lib/sigstore/internal/x509.rb | 110 ++++++++++++++++++++++------- lib/sigstore/policy.rb | 12 +++- lib/sigstore/signer.rb | 23 +++--- lib/sigstore/trusted_root.rb | 14 ++-- lib/sigstore/verifier.rb | 37 ++++------ test/sigstore/trusted_root_test.rb | 8 ++- 11 files changed, 154 insertions(+), 86 deletions(-) jruby- openssl

93. RubyGems.org RubyGems.org → X509 wrapper to allow querying cert properties

    & typed extension values → RFC8785 JSON Canonicalization → X509 tbs_certificate_der → SCTs in general → rfc3161 support for arbitrary validation times → DSSE validation sigstore- ruby

94. RubyGems.org RubyGems.org sigstore-ruby … TUF (it was tough)

95. RubyGems.org How did this get so complicated? Sigstore is the

    amalgamation of multiple different systems • X509 for PKI • TUF for trusted material distribution • Merkle trees for transparency log inclusion • Signed notes for checkpoints

96. RubyGems.org How did this get so complicated? Sigstore is the

    amalgamation of multiple different systems … which have a lot of configuration points

97. RubyGems.org The point of building these sigstore clients is to

    use them in our various software ecosystems.

98. RubyGems.org Multiple implementations mitigate the impact of a bug found

    in any one implementation.

99. RubyGems.org Multiple implementations help make our specifications more precise and

    portable.

100. RubyGems.org RubyGems.org Everything got a little bit better in 2024

     → sigstore-conformance → tuf-conformance → Edited sigstore client doc → Convergence between different independent implementations → Mock sigstore implementations for testing → William Woodruff saved the day more times than I could count

101. RubyGems.org We’ve learned about building sigstore clients from scratch. Things

     will be clearer & easier as we continue evolving: Prototype⇒Early Adopters⇒Critical System

102. RubyGems.org Building sigstore-ruby in 2024 was challenging. Building sigstore-insert your

     language here in 2025 will be easier.

103. RubyGems.org Come say 👋 if you want to contribute to

     sigstore-ruby

104. RubyGems.org Come say 👋 if you want to make sigstore-ruby

     easier to implement in Ruby

105. RubyGems.org חספ גח חמש Insert jewish joke here.

106. RubyGems.org Security • Hackerone and Rails security best practices ◦

     HN hack when Nick was on a bus (2012?) ◦ RubyGems 1/30/13 Incident Status ◦ Rubygems Trust Model ◦ Gem Yanking ◦ HTTPS • Current challenges ◦ Sigstore? ◦ H1 • Lessons ◦ We’re a big target ◦ Lots of expectations on a very public service ◦ Need some policies (Thanks Marty)

107. RubyGems.org IN MEMORIAM

108. RubyGems.org No, seriously • Something insightful • Another thing to

     take home • GIFs are still funny? • Narrative re startups today ◦ Rails apps can last, scale, and be sustainable ◦ Build enduring software • Focus on what can change / (wont change?) ◦ Probably will change: frontend stacks ◦ Won’t: databases, well factored code + biz logic • Talk through what has/ what hasn’t changed • Lapidary: The Art of Gemcutting - Speaker Deck

109. RubyGems.org A history lesson / timeline • BEFORE (rubyforge, etc)

     timeline • Start from rubyconf when Rubygems was first born • RubyForge • GitHub gems • Gemcutter genesis (2009)

110. RubyGems.org Gradient zone

111. RubyGems.org Cccccchanges • Originally… 2 sinatra apps! ◦ Moved to

     Rails in … (remember when) • Internal dependencies (Bundler exists because of Rails) ◦ https:/ /blog.rubygems.org/2015/02/01/rewriting-history.html • Frontend js story ◦ No current frontend builder/typescript currently ◦ Remember sass? • Designs (screenshots from archive.org) ◦ Original ◦ Dockyard redesign https:/ /dockyard.com/blog/2014/11/18/rubygems-redesign • Tests ◦ Rspec/Cucumber ◦ System/integration tests ◦ Current state

112. RubyGems.org Architecture Changes • Vendored Gems • Frontend JS ◦

     No current frontend builder/typescript currently ◦ Remember SASS?

113. RubyGems.org Circa 2012 https:/ /www.sitepoint.com/a-chat-with-nick-quaranto-about-rubygems-org-internals/

114. RubyGems.org Architecture

115. RubyGems.org Stats bragging (2025 edition) • 250B downloads • User

     growth • Rubygem growth / # of packages • Top 10 gems over time (possibly animated) • Bundler usage • Sources: • https:/ /stats.rubygems.org/ • Clickhouse

116. RubyGems.org Community Changes • IRC channels • Boston RB contributions

     / RailsCamp hacking • How people contributed in Gemcutter era - RubyCentral takeover • Evolution of contributing (cool commit map here?)