Hello! Welcome to the May newsletter. Read on for announcements from Ruby Central and a report of the OSS work we’ve done from the previous month.
In April, Ruby Central's open-source work was supported by Ruby Shield sponsor Shopify, AWS, the German Sovereign Tech Fund (STF), and Ruby Central memberships from 29 other companies, including Partner-level member Contributed Systems, the company behind Mike Perham’s Sidekiq. In total, we were supported by 187 members. Thanks to all of our members for making everything that we do possible. <3
Ruby Central News
Thank you to everyone who attended RailsConf Detroit!
- We had an amazing time celebrating Rails with you in Detroit! If you were there, we’d love to hear from you about your favorite parts of the event, and what we can do better. Please take our 10-minute survey and share your experience.
- Conference photos and headshots are available now, here! Videos of talks and workshops will be available a bit later. We’ll drop the announcement when they are released on our social media channels, so stay tuned!
- If you weren’t there, you can also browse our Twitter to indulge in even more FOMO :).
- Finally, check out these amazing recaps of the event from our community:
- Ruby content creator and RailsConf Detroit program committee member Kevin Murphy shares an organizer’s perspective https://kevinjmurphy.com/posts/railsconf-2024-recap/
- RailsConf 2024 Speaker Garrett Dimon journals his thoughts about the Ruby programming language and community as a whole, and a response to our RailsConf 2025 announcement https://garrettdimon.com/journal/posts/the-bright-future-of-ruby-and-rails
- RailsConf 2024 Speaker Talysson Oliveira Cassiano provides a quick snapshot of his experience at the conference https://blog.codeminer42.com/codeminer42-at-railsconf-2024/
- Robby Russell, of Planet Argon, ohmyz.sh and the Maintainable Software Podcast, shares his journey to, and through, his 11th-ish RailsConf https://blog.planetargon.com/blog/entries/recap-railsconf-2024-detroit
- Long-time dev but first-time-attendee Phil Smy created a daily video diary capturing his RailsConf Detroit experience https://www.youtube.com/playlist?list=PLiJC12qFqVo1j0PtcnV4DltUsIRe5rnqA
- RailsConf 2024 speaker, author and consultant Andrew Atkinson shares his RailsConf 2024 experience, other RailsConf memories and reflections on saying goodbye to RailsConf https://andyatkinson.com/blog/2024/05/17/railsconf-conference-2024-detroit
- Finally, our intrepid RailsConf 2024 co-chair Andy Croll shares all the ups and downs of his conference organizing experience from first Ruby Central phone calls to final RailsConf bows https://andycroll.com/ruby/railsconf-detroit-2024-cochairs-perspective/
Keep up with Ruby Central’s AWS Software Engineer in Residence
- Samuel Giddins, RubyGems.org lead Security Engineer and our Software Engineer in Residence, has been sharing the highs, lows, and progress updates of his security work on his blog. Last month his development work included:
- Spending a significant amount of time investigating the impact of the xz/liblzma backdoor on the RubyGems ecosystem, and publishing a blog post on his findings. The rubygems-research tool proved invaluable in efficiently analyzing the spread of the vulnerable library within RubyGems. Spoiler: RubyGems was not vulnerable to the backdoor!
- Patching various Denial of Service (DoS) vulnerabilities related to YAML aliases and uploaded gem metadata size in RubyGems.org, improving the platform by re-introducing avatars with privacy considerations (more on this below), and documenting the compact index API for package repositories.
- You can learn more and follow along here. Thank you to AWS for supporting this work!
We’re revamping our Ruby Central Membership Program!
- If you’re reading this in your email inbox, you should have already received this news. If not, check out this announcement to learn about all of the exciting new ways we’ll be engaging with our members and how you can get involved.
Upcoming Conferences:
- Ruby Central
- RubyConf 2024 will be in Chicago on Nov 13-15th at the Hilton Downtown Chicago.
- A limited number of supporter tickets are on sale now, here. If you're on our mailing list you'll be the first to know when general tickets go on sale.
- If you're not yet, join the list here.
- In the meantime, you can reserve your hotel room at our special conference rate now.
- RailsConf 2025 will be our final RailsConf ever.
- Read more about why here.
- We’ve made a limited number of supporter tickets available here for purchase — consider contributing to help make this special event the best one yet!
- We’d love our community to help us choose the location for this final event. If you have not filled out the Google Form to vote please do, we’d love to hear from you!
- RubyConf 2024 will be in Chicago on Nov 13-15th at the Hilton Downtown Chicago.
- Community Conferences
- RubyConf Africa has extended their CFP deadline. You can now submit your talks until May 31!
- Coming up in May: Blue Ridge Ruby (May 30-31), Ruby for Good (May 30 - June 2), and RubyDay (May 31).
- And this summer’s Ruby conference lineup includes: Ruby Unconf (June 8–9), Baltic Ruby (June 13–15), Brighton Ruby (June 28), Red Dot RubyConf (July 25–26), RubyConf Africa (July 26–27), Madison+Ruby (August 1–2), and Rails Camp USA (August 27–30).
- Updated information is always available at rubyconferences.org, which includes a super-handy iCal feed.
Get Involved:
- If you'd like to get involved and help make our community and events even better, we'd love to have you join us! Check out our volunteer page, and/or feel free to shoot an email to our executive director, Adarsh, to find the best way to get plugged in.
- Want to promote your company at RubyConf in 2024? Secure your sponsorship now to reach all our attendees, showcase your thought leadership, and cultivate invaluable industry relationships by emailing our wonderful sponsorships manager, Tom.
- Remember, you can receive exclusive benefits like conference discounts and more by signing up for a Ruby Central membership. Check to see if your employer matches donations to Ruby Central, Inc. through Benevity and double your support!
RubyGems News
In April, we released RubyGems 3.5.8 and 3.5.9, and Bundler 2.5.8 and 2.5.9. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems, including: a security improvement that adheres to global umask
settings when writing files, a fix for the [NoMethodError
crash linked to issues with corrupt package files](https://github.com/rubygems/rubygems/pull/7539), and a resolution for an error message problem in the resolver when it runs out of versions due to the use of --strict --patch
filters.
Some other important accomplishments from the team this month include:
Avoiding Writing Credentials to Lockfiles the Default
- In an effort to enhance security and prevent users from accidentally sharing credentials publicly, we recommend that you do not embed credentials in lockfiles.
- This practice was already uncommon, except in instances where users included credentials directly in their Gemfile—a method we do not recommend. Instead, it's advisable to utilize settings.
- Despite some users opting to use an ENV variable, we consistently ensure that credentials are not stored in the lockfile but are sourced either from the configuration or directly from the Gemfile.
Making bundle update specific_gems
Smarter
- For years, reports have indicated that
bundle update gem
does not consistently update the gem to its latest available version. Users find that if they delete their lockfile, specify the desired version in the Gemfile, or runbundle install
, the gem updates as expected. Ideally, such steps shouldn't be necessary for updating a gem—bundle update gem
should suffice. - This is also why dependency bots like Dependabot sometimes fail to create PRs to address security alerts. The challenge is that upgrading one gem may require upgrading others to prevent version conflicts.
bundle update gem
currently lacks the capability to handle this complexity. - To address this, I implemented a fix where a full
bundle update
is first executed to determine the latest resolvable versions, followed by a targeted update that forces these versions, allowing the resolver to manage any conflicts by unlocking conflicting dependencies.
Resolving Musl Platform Issues for RubyGems and Bundler
- Since introducing support for the musl platform, there's been different issues and regressions with it, leading to hesitancy among gem authors about releasing musl variants. The maintainer of Nokogiri has been actively identifying these issues, including a critical problem he believes to be the last barrier to fully supporting musl precompiled gems. Addressing this issue seemed necessary.
- The non-transitivity of
Gem::Platform#===
with musl was causing missing platforms in the lockfile, leading to resolution errors. The issue has been resolved by specifically accommodating the unique aspects of musl when removing invalid platforms from the lockfile.
In April, RubyGems gained 106 new commits contributed by 13 authors. There were 1,175 additions and 797 deletions across 106 files.
RubyGems.org News
The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in April was provided by AWS, Fastly, and DataDog.
The following are highlights of what the team worked on this month:
Re-introducing Avatars to RubyGems.org
- Originally, profile images were removed from RubyGems.org due to privacy concerns, as Gravatar's system exposed user emails, leading to complaints. This change, however, made the site appear anonymous, diminishing the perceived trustworthiness of gem info pages.
- To address this issue, @segiddins has developed a solution that allows images to be safely displayed without compromising privacy. This new method proxies images through RubyGems.org, maintaining user privacy while enhancing the visual appeal and trust of the platform.
- To reduce the likelihood of disruption caused by a left-pad-like package removal, we've introduced limits on deleting old or highly downloaded gems.
- Gem deletions are primarily for immediate fixes of newly released gems where reverting is the best solution. For other issues, the recommended approach is to release a new version.
- We've set a provisional limit on gems that can be yanked. This policy affects gems with over 100,000 downloads or those older than 30 days, aligning more closely with other ecosystems that restrict deletions.
- We will adjust the policy based on feedback and continue to coordinate yank requests through RubyGems staff, balancing the needs of maintainers and the wider community.
An Upgraded Search System from OpenSearch v1 to v2
- The upgrade from OpenSearch v1 to v2 allows us to benefit from new updates, features, and enhancements.
- Additionally, the introduction of High Availability ensures that our search functionality will remain operational even if an AWS Availability Zone(Data Center) goes offline, providing a robust and resilient service.
Collaborated with Shopify on a JIT performance-focused Protobuf implementation
- Earlier this year we began writing a pure Ruby protobuf implementation which is fully compliant. It was completed last month. We are coordinating our effort with Shopify, who are already at work on an implementation of protobuf that has different goals.
In April, RubyGems.org gained 82 new commits contributed by 10 authors. There were 1,111 additions and 761 deletions across 150 files.
Total spent
In April we spent $78,729.06 on development work.
Thank you
Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.
Contributors to RubyGems:
- @andyw8 Andy Waite
- @ccutrer Cody Cutrer
- @deivid-rodriguez David Rodríguez
- @fatkodima Fatkodima
- @flavorjones Mike Dalessio
- @fryguy Jason Frey
- @gdubicki Greg Dubicki
- @hsbt Hiroshi Shibata
- @indirect André Arko
- @ilyazub ilyazub
- @martinemde Martin Emde
- @mensfeld Maciej Mensfeld
- @ngan Ngan Pham
- @nobu Nobuyoshi Nakada
- @segiddins Samuel Giddins
- @simi Josef Šimánek
- @technicalpickles Josh Nichols
- @thedavemarshall Dave Marshall
Contributors to RubyGems.org:
- @ahangarha Mostafa Ahangarha
- @colby-swandale Colby Swandale
- @dancristianb Dancristianb
- @deivid-rodriguez David Rodríguez
- @hsbt Hiroshi Shibata
- @indirect André Arko
- @javier-menendez Javier Menéndez Rizo
- @markets Marc Anguera
- @martinemde Martin Emde
- @segiddins Samuel Giddins
- @simi Josef Šimánek
If we missed you, please let us know so we can include you in our shout out!