Hello! Welcome to the July newsletter. Read on for announcements from Ruby Central and a report of the OSS work we’ve done from the previous month.

In June, Ruby Central's open source work was supported by Ruby Shield sponsor Shopify, AWS, the Sovereign Tech Fund (STF), and Ruby Central memberships from 29 other companies, including Partner-level member Contributed Systems, the company behind Mike Perham’s Sidekiq. In total, we were supported by 189 members. Thanks to all of our members for making everything that we do possible. <3

Ruby Central News

RubyConf 2024 announcements

Get your tickets before Early Bird pricing ends on July 31!

Time to join RubyConf 2024 at the best price is running out! Grab your ticket.

Already booked your ticket? Go ahead and book your hotel room at conference rates too and get a glimpse of our amazing host city on our website.

Welcome two RubyConf 2024 keynote speakers!

Nadia Odunayo is the Founder and CEO of The StoryGraph, an app that helps you track your reading and choose your next book based on your mood and favorite topics. She is joining us at RubyConf fresh off her inspiring keynote at RailsConf 2024.

Brandon Weaver is a Senior Staff Software Engineer at One Medical and an artist-turned-programmer. He teaches Ruby with a series of colorful cartoon lemurs going on storybook adventures, a unique approach you may recognize from his entertaining conference talks.

RubyConf 2024 in your ear!

Check out RubyConf 2024 co-chairs Kinsey Durham Grace and Jim Remsik on recent episodes of Remote Ruby and Code and the Coding Coders who Code it, talking all things RubyConf, their own experiences in the Ruby community, mentorship opportunities and more!

Check out our revamped Ruby Central Membership Program!

Ruby Central is forming sustaining partnerships with major companies in our community. Click here to learn about all the exciting new ways we’ll be engaging with our members and how you can get involved.

Upcoming Conferences:

  • Ruby Central
    • RubyConf 2024 will be in Chicago on Nov 13-15th at the Hilton Downtown Chicago.
    • RailsConf 2025 will be our final RailsConf.
      • We’d love our community to help us choose the location for this final event. If you have not filled out the Google Form to vote please do!
      • We’ve made a limited number of supporter tickets available here for purchase — consider contributing to help make this special event the best one yet!
  • Community Conferences

Get Involved:

  • If you'd like to get involved and help make our community and events even better, we'd love to have you join us! Check out our volunteer page, and/or feel free to shoot an email to our executive director, Adarsh, to find the best way to get plugged in.
  • Want to promote your company at RubyConf in 2024? Secure your sponsorship now to reach all our attendees, showcase your thought leadership, and cultivate invaluable industry relationships by emailing our wonderful sponsorships manager, Tom.
  • Remember, you can receive exclusive benefits like conference discounts and more by signing up for a Ruby Central membership. Check to see if your employer matches donations to Ruby Central, Inc. through Benevity and double your support!

RubyGems News

In June, we released RubyGems 3.5.123.5.13, and 3.5.14 , and Bundler 2.5.12, 2.5.13, and 2.5.14. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include: an improvement to auto-switch to the locked Bundler version even when using binstubs, a fix for duplicated config keys generated when the fallback_timeout URI option is used, and a fix for slow and incorrect resolution when adding sorbet to a Gemfile if the lockfile only includes "RUBY" in the platforms section.

Some other important accomplishments from the team this month include:

A better out of the box experience when creating new gems with bundle gem

  • A user alerted us to a potential source of friction in the gem creation process: users needing to edit all the TODOs in the gemspec prior to running Bundler and dummy generated tests.
  • The issue was, values like e.g the gem’s homepage, source code and changelog URIs, while important, are not what users have in mind (yet) when they create a new gem. They just want to start working on the new gem. In many cases inputting this information can be delayed until gem build/push time.
  • Due to internal RubyGems methods we’ve added to validate gems that have a few different usages — like RubyGems.org, Bundler and RubyGems — it would have been risky to change validations just for Bundler (and as a result relax validations everywhere). The alternative, adding a new parameter to Gem::Specification#validate, felt like complicating things too much. So we went with adding a new Gem::Specification#validate_for_resolution method just for Bundler that skips validations that are non essential for Bundler to work with a local gemspec.

Fixing longstanding issues with plugins by tracking them in the Gemfile.lock file

  • A couple of frustrations with plugins specified via Gemfile have been coming up for years: they are constantly reinstalled, and they cause unnecessary resolution metadata to be fetched, even in deployment mode. We want to encourage people to create and use Bundler plugins by ensuring they have a smooth usage experience.
  • After a few iterations, we realized we can treat plugins the same as regular gems and therefore avoid all the unnecessary work by having a lockfile. So the solution ended up being simple: including plugins as gems in the lockfile.
  • We need to do some backwards compatibility work around making changes to the lockfile but aside from that, we expect this solution to resolve most of the issues.

Bundler specs will now use the Compact Index by default

  • As a first step to providing a way to opt-in to lockfile checksums, we want to make sure most Bundler specs use the compact index (that exercises checksums under the hood).
  • Bundler specs currently use the fallback to the full index by default. This is a very rare working mode these days since it requires that all dependency APIs fail. In addition to that, the full index does not provide checkums. Switching to using the compact index by default will give us confidence to enable lockfile checksums.
  • It was a very big PR with bulk changes migrating from file:// sources that skip dependency APIs to dummy https sources that do exercise the compact index. It was a bit tricky to get everything passing but we trust it is safe as most of the changes are confined to test code.

In June, RubyGems gained 153 new commits contributed by 18 authors. They were 5,907 additions and 4,833 deletions across 231 files.

RubyGems.org News

The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in June was provided by AWSFastly, and DataDog. The following are highlights of what the team worked on this month:

RubyGems Organization Accounts

  • We are building a new feature for RubyGems.org that will allow organization accounts, memberships and increased control over gem permissions. The feature will give gem owners more precise control over ownership of gems and permissions for organization members.
  • We know that nuance is required when introducing this additional layer of organization into the existing RubyGems.org framework and we plan to introduce the new feature without disrupting existing workflows.
  • This month, we created user flows to identify potential challenges and edge cases, refactored permissions models to use the well-known Pundit gem, and added basic models in preparation for the feature.

Aligning Authentication on RubyGems.org with best practices

  • Back in January when we released details about an MFA bypass in the password reset process, it became clear that our MFA strategy was not applied uniformly in a way that helped us reduce mistakes. We have some flows that don’t follow OWASP guidelines for password resets, email tokens, or MFA.
  • @martinemde has been working to carefully refactor all MFA interaction points in RubyGems.org, increasing test coverage and unifying MFA processes under a single code path. We have adopted many of the best practices for securing authentication processes as defined by OWASP and other guidelines.
  • One example is, we have now stopped our previous practice of auto-sign-in after password changes or email confirmations to ensure that all processes that can result in a session must pass through through the full sign-in process.

Ruby Ecosystem News

Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.

Ruby Toolbox

Making local setup and codespaces based contributions to the Ruby Toolbox easier

  • Data dumps are quite large nowadays and importing them locally can take hours. It would be helpful to provide a slim data dump for a realistic but small local development dataset, to create a more accessible way of contributing to the site itself.
  • @colszowka has added partial production database exports to the Ruby Toolbox, making it easier to get a realisitc dataset for development purposes. Alongside this, there is now a devcontainer setup for easier local or browser-based development environment setup, for example using Codespaces.

Making historical and recent security advisories for RubyGems visible on the Ruby Toolbox

  • To increase transparency and ensure everyone has the latest database information, work by Christoph is underway to import the Ruby advisory database to the Ruby Toolbox, for displaying security advisories on the site. The data is already being imported, with the remaining step being to actually show it on the UI.

In June, RubyGems.org gained 110 new commits contributed by 11 authors. There were 3,655 additions and 2,518 deletions across 211 files.

Total spent

In June we spent $93,945.76 on development work.

Thank you

Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.

Contributors to RubyGems:

Contributors to RubyGems.org:

If we missed you, please let us know so we can include you in our shout out!