December 2020 Monthly Update

Hello! Welcome to the monthly update. During December, our work was supported by Zendesk, DigitalOcean, Bleacher Report, and many others.

ruby together news

In December, Ruby Together was supported by 41 different companies, including Ruby member Zendesk and Sapphire member Stripe. 2 companies joined as new members.

On top of those companies, 2 new developers signed up as members, including Sinan Taifour and Nick Willever. In total, we were supported by 105 developer members. Thanks to all of our members for making everything that we do possible. <3

rubygems & bundler news

In December, we finally released Bundler 2.2 and RubyGems 3.2. 🎉 On the Bundler side, this minor release provides some major enhancements in how Bundler treats platforms, and also a few extra features. Check out the Bundler 2.2 release blog post for details. On the RubyGems side, the release provides several bug fixes, a noticeable boot time speed-up, better integration in ruby-core and alternative implementations, and adds support for a change in the server side that allows using scoped API keys.

After the releases, we also received the corresponding feedback and regression reports, and addressed almost everything reported through 4 patch level releases of each library. In particular, we made it on time for Ruby’s Christmas release and managed to include RubyGems 3.2.3 and Bundler 2.2.3 with the final release of Ruby 3.0.

This month, RubyGems gained 203 new commits, contributed by 13 authors. There were 4191 additions and 2066 deletions across 1184 files.

rubygems.org news

This month, we published a guide on RubyGems.org about API keys, their scopes, and CLI usage (#275). We also investigated and removed ruby-bitcoin and pretty_color gems for  containing malicious code which could steal sensitive information; this issue was reported by @mensfeld for obfuscated code. We have updated the corresponding wiki page of gems yanked and accounts locked.

In addition to that, we made the following improvements and fixes:

• deployed a PR to update versions_downloads in elastic search and reindex to fix the mismatch in downloads count. #2534
• deployed an API key with scopes and migrated legacy per account keys to the new API keys with encrypted storage. #1962
• setup insecure.rubygems.org to not redirect dependency endpoints to HTTPS. #2590
• worked on a PR to block throw-away domains from signup. #2579
• merged a PR to update a failing test on ruby 2.7. #2580
• worked on a PR to update to Rails 6.1. #2584
• worked on a PR to update gem dependencies to support elastic search 6. #2585
• updated a PR to update clearance. #2446
• enabled a few more Rails 6 defaults. #2583
• updated the rubygems.org TLS certificate to support TLS 1.3.
• deployed a PR and backfilled canonical_versions to disallow publishing of duplicate canonical version numbers. It resolves the issue of clients installing potentially malicious versions of existing releases. #2559
• updated version_downloads to use the most_recent version implementation. #2534
• fixed a script to block users with handles that had uppercase letters. #2570
• merged a PR to enable Rails 6 default for return_false_on_aborted_enqueue. #2571

As always, we continue to fix bugs, review and merge PR’s and reply to support tickets.

In total, RubyGems.org gained 77 new commits, contributed by 10 authors. There were 2154 additions and 596 deletions across 96 files.

budget & expenses

In December, we saw $10,000.31 in total income, and spent a total of $12,566.23.

• Stripe Payment Processing Fees $398.74
• Employee Related $601.39
• General & Administrative $90.28
• IT & Software $812.11
• Professional Fees $0
• 71.1 Hours of development work at $10,663.71

Until next time,
Irene, André and the Ruby Together team

January 18, 2021