Hello! Welcome to the February newsletter. Read on for announcements from Ruby Central and a report of the OSS work we’ve done from the previous month. In January, Ruby Central's open source work was supported by 29 different companies, including Fastly,  Sentry, Ruby Shield sponsor Shopify, and Partner-level member Contributed Systems, the company behind Mike Perham’s Sidekiq. In total, we were supported by 178 members. Thanks to all of our members for making everything that we do possible. <3

Ruby Central News

Ruby Meet-ups

  • Directory coming soon! We’re creating a directory of ALL active Ruby meetups to help us connect with one another, and so we can offer resources and support. Click to fill out the form below and register your Ruby meet-up today!
  • Bay Area meetup in March! Our first sponsored meetup is starting Friday March 1st, 2024 in the SF Bay Area in the US with a low-key ramen lunch hosted by Ruby Central’s Adarsh Pandit! RSVP here.

RubyConf 2023 Recap Report

We published a report last week capturing every part of RubyConf 2023, from the innovative new additions to the program – Community Day and Open Spaces — to our attendee demographics, to the finances it took to make it happen. Enjoy this walk with us down memory lane to see what you missed, or re-live the fun – pictures included! 

Upcoming Conferences:

Get Involved:

  • If you'd like to get involved and help make our community and events even better, we'd love to have you! Check out our volunteer page, and/or feel free to shoot an email to our executive director, Adarsh, to find the best way to get plugged in.
  • Want to share your brand at RailsConf or RubyConf in 2024? Secure your sponsorship now to reach over 500 attendees, showcase your thought leadership, and cultivate invaluable industry relationships by emailing our wonderful sponsorships manager, Tom.
  • Remember, you can receive exclusive benefits like conference discounts and more by signing up for a Ruby Central membership. Check to see if your employer matches donations to Ruby Central, Inc. through Benevity and double your support!

RubyGems News

In January in RubyGems, we released RubyGems 3.5.5 and Bundler 2.5.5. These releases included fixes to: the caching specifictions directory, development dependency ommission and formatting of compact index requests headers, as part of our continuous effort to enhance the Ruby development experience.

Some other important accomplishments from the team this month include:

Resolution of Bundler issue with Renovatebot

  • @deivid-rodriguez addressed a specific Bundler resolution problem affecting the operation of Renovatebot. We try to place nice with update bots since they contribute to a more healthy and secure ecosystem. Renovate in particular does not seem to use Bundler internals, but runs Bundler directly through well defined CLI flags. This is very good for us, so it’s nice to give back and make sure the CLI flags they use work as expected. The issue happens when Renovatebot first changes the Gemfile and then runs bundle lock –update –patch –strict.
  • He first investigated a solution that involved bringing the lockfile up to date but ultimately realized that this approach breaks the --patch --strict contract because it results in that patch level version possibly being upgraded. In the end, he decided to call the current behavior as expected and will focus on improving the error message in the future. - (7369).

Resolution of RubyGems require issue

  • @deivid-rodriguez tackled a challenging issue within RubyGems related to its custom require implementation. The gemification of default gems, especially those with dependencies, unveiled issues post Ruby 3.3 release, affecting user experience. The fix ensures RubyGems require bypasses activating default versions of gems under conflict-prone conditions. For more details, see #7379.

Work toward vendoring URI in RubyGems

  • This initiative was part of efforts to smooth out the extraction of default gems from ruby-core, ensuring a seamless transition. The successful vendoring of URI marks a significant step towards mitigating activation conflicts. Information on this update is available in #7386.

Addressing an ENV resetting issue in RubyGems

  • Restoring Bundler-related ENV variables to empty prevents downstream issues related to trying to invoke Bundler from subprocesses, as one of our users Edouard-chin pointed out. An investigation led to the identification of a bug related to special casing empty ENV variables. The decision was made to remove this exception and the fix. Its implications are detailed in #7383.

Introduction of a Gem Rebuild Command

  • Ellen Dash is leading the development of a gem rebuild command to facilitate reproducible builds. Reproducible builds allow people to identify problems such as compromised build environments or builds not using the published source. For a few years now, it’s been technically possible to reproduce a build if you knew enough about the original build environment. The gem rebuild command’s purpose is to automate as much of this as possible.

In January, RubyGems gained 163 new commits contributed by 18 authors. There were 6,051 additions and 1,059 deletions across 244 files.

RubyGems.org News

January's updates to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform.

The following are highlights of what the team worked on this month:

Resolution of a multi-factor authentication (MFA) bypass on password reset vulnerability

A vulnerability report from HackerOne brought to our attention a critical flaw in the MFA process during password reset. This issue was addressed and resolved through the collaborative efforts of Martin Emde, with significant contributions from Josef Šimánek, Samuel Giddins, and Eric. Read more about the report here.

Audit/Event Logging for Enhanced Security Monitoring

  • We introduced a user-visible log of security events that have happened on their account. This will help maintainers stay on top of how their account is being used, and events that happen on the gems they own, reducing mean time to remediation for unexpected actions. This also helps the RubyGems.org security team by providing a trail that can be followed in response to security incidents.
  • Critical events such as logins, password changes, email updates, API token generation and revocation, and ruby gem ownership changes are now logged. These logs are user-specific for account activities, while gem-related events are accessible to all owners of the respective gem. Check out #4367 for more information.

RubyGems.org is now using importmaps

  • Importmaps is a modern approach to serving JavaScript utilizing HTTP2 to transfer many smaller files rather than bundling JavaScript into a single large file. The result is a much lighter asset build system and better caching of assets that don’t change very often. During development, @martinemde worked through package management challenges with importmaps (e.g. verifying provenance, pushed upstream here: importmap-rails#237). You may not have realized that importmap-rails is a package manager, like bundler or npm, and should be managed as one. - (rubygems.org#4396).

Fixing a bug in rack-test related to Content-Security-Policy nonces

  • During the development work on importmaps a small bug in rack-test was identified and fixed. The bug manifested through failing tests triggered when generating Content-Security-Policy nonces from a session_id. The resolution involved fixing how these cookies are processed in rack-test (rack-test#343) and preventing blank cookies from being recorded in rubygems.org.

Updating to Rails 7.1

  • We updated RubyGems.org to Rails 7.1 to keep dependencies of the Rails app up to date. The update involved a long-running pull request that addressed dependency issues. The merge and deployment proceeded smoothly after ensuring all upstream dependencies supported Rails 7.1, along with an update to the Rails configuration to align with 7.1 defaults.

Soft Deleting User Records

  • @segiddins implemented a feature for soft-deleting user records, a foundational step for the audit/event logging system. This ensures the preservation of database relationships for historical records referencing users, even after an account is deleted by the user.
  • When a user requests account deletion, we clear out all user information from the user record and mark it as deleted, but leave the row in the database. Deleted records are not shown in queries on the site. Find more information about this update in #4376 and #3766.

Check out an example of the new audit logging in rubygems.org

rubygems-org-profile-security_events.1

In January, RubyGems.org gained 85 new commits contributed by 8 authors. There were 2,490 additions and 1,238 deletions across 224 files.

Total spent

In January, we spent $65,352.52 on development work.

Thank you

Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support. And thank you to the German Sovereign Tech Fund (STF) for their generous support of our Bundler and RubyGems work.

Contributors to RubyGems:

Contributors to RubyGems.org: