Hello! Welcome to the October newsletter. Read on for announcements from Ruby Central and a report of the OSS work we’ve done from the previous month.
In September, Ruby Central's open source work was supported by Ruby Shield sponsor Shopify, AWS, the Sovereign Tech Fund (STF), and Ruby Central memberships from 29 other companies, including Partner-level member Sidekiq. In total, we were supported by 188 members. Thanks to all of our members for making everything that we do possible. <3
Ruby Central News
RubyConf 2024
Get ready for RubyConf in Chicago from November 13-15—only 4 weeks away! Join your #RubyFriends and dive into the Ruby community, whether you're new or experienced. We’ve also been spotting quite a few of our Ruby Friends out in the wild wearing the official conference merch located on our Ruby Central Store!!! Shoutout to Valenzia from Flagrant for the amazing designs!
Join us in Chicago!
Don't forget: our room block deadline is October 18th at midnight CST! Secure your stay at the Hilton Chicago for the ultimate networking experience. Book your room now!
Hack Day on Day 2
Hack Day is a highlight of RubyConf, offering a chance to collaborate with open source maintainers like Ruby Core members, and contribute to exciting open source projects like Glimmer DSL for LibUI, Clearance, RubyGems, Sublayer, JRuby, Hanami, cancancan, Sidekiq, Camping, Nokogiri, Ruby LSP, Tapioca, and Ruby Cloud Native Buildpacks!
Stay tuned for some special “Ruby Celebrity” pairing opportunities too—details coming soon!
Also, if you have ideas on open source projects that you’d like to bring to the event, contact hackday@rubycentral.org and we can continue the conversations. The more the merrier!!
Wishing to get involved?
Why not sponsor the event? There is still a little time left (mid-October) to get your name alongside the other sponsors for the event on our printed signage! Secure your sponsorship now to reach all our attendees, showcase your thought leadership, and cultivate invaluable industry relationships by emailing our wonderful sponsorships manager, Tom.
We’re also looking for sponsors for RailsConf 2025. We’d love to have you be with us in our closing celebration of RailsConf and make this event truly magical and memorable for the community that started it all!
We want to give a huge shout-out to our generous sponsors! Alphabetical order. :)
Beyond Finance, Cedarcode, Chime, Cisco/Meraki, Couchbase, Flagrant, GitHub, GitLab, HoneyBadger, PayPal, Reinteractive, Scout APM, Sidekiq, Shopify, Wellsheet, Workforce
RubyGems News
In September, we released RubyGems 3.5.19 and 3.5.20 along with Bundler 2.5.19 and 2.5.20. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include the removal of temporary .lock files unintentionally left behind by the gem installer, the rejection of unknown platforms when running bundle lock --add-platform, and a performance fix that addresses the excessive slowness of the gem install <nonexistent gem> command.
Some other important accomplishments from the team this month include:
Significant Progress on Lockfile Checksums Enablement
- Previously, we implemented checksums in the lockfile to ensure that installed gems have not been tampered with, aligning with standard security measures in other package managers. We are now addressing platform-related issues to enforce strict gem locking and prevent false security assurances.
- The checksums feature is now available in our master branch and is being prepared for inclusion in Bundler 2.6’s December release, allowing users to opt in. It will become the default in Bundler 3, supported by continuous integration testing to guarantee reliability.
Fixing Strict Permissions Check in Bundler for GitHub Actions
- We resolved permission issues reported in GitHub Actions workflows where Bundler was refusing to delete directories before reinstalling gems, causing workflows to abort. This problem affected both GitHub Actions runner's repositories and the official
ruby/setup-rubyaction, forcing users to manually adjust permissions as a workaround. - Through investigative efforts, we identified that the Bundler 2.5.12 release began treating default gems as regular gems and explicitly installing them. Since default gems include empty directories in Ruby distributions, Bundler was failing when attempting to remove these empty directories before installation.
- We fixed the issue by modifying Bundler to skip removing empty directories, ensuring smooth gem installations without requiring manual permission adjustments.
Enhancing Support for Caching Git Gems in Cache Specific Project (vendor/cache) Settles
- We have improved Bundler's ability to cache git gems in the
vendor/cacheby maintaining a bare clone of the repository within the cache. This enhancement allows users to bundle all dependencies with their applications, facilitating installations in environments without internet access. - Additionally, we implemented patches to reduce the size of bare clones by removing
.samplefiles and ensuring that empty directories are preserved when cloning repositories on different machines. These improvements prevent cache misidentification and enhance the reliability of git gem caching.
Improvements in Gem Activation Conflict Prevention
- As a dependency manager, Bundler needs to be very careful about having dependencies itself, because those dependencies could interfere with the dependencies of end users. We addressed dependency conflicts by carefully managing Bundler and RubyGem's own dependencies, particularly with the gemification of Ruby's standard library, such as
securerandombecoming a default gem. - To prevent conflicts, we vendored the
securerandomgem under our own namespace in both RubyGems and Bundler, ensuring our dependencies do not interfere with user dependencies and maintaining a stable environment for end users. - In the particular case of
bundler/inline,we applied a workaround: rescue the conflict when it happens and retry with an explicit dependency on the user version, so that conflict does not happen the second time. - We also explored more general solutions to provide robust fixes for common entry points prone to dependency conflicts, such as re-executing the original process after gem installation during
bundler/inlineor installing gems in a subprocess whenauto_installis set.
Improving Suggestions for and Speeding Up gem install <nonexistent gem>
- Previously, attempting to install a nonexistent gem (e.g., railss) resulted in Bundler suggesting multiple gem names that were over 20 characters long, while the correct gem (rails) was never suggested.
- We recognized that waiting 10 seconds for suggestions when installing a nonexistent gem was more annoying than helpful. By determining that computing the Levenshtein distance was the main performance penalty, we refactored Bundler to avoid computing this distance in as many cases as possible. This significantly speeds up the gem install command for nonexistent gems, enhancing the overall user experience.
Introduced the New Design for RubyGems.org
- We are slowly rolling out a full refresh of the site that aims to meet our goals of modernizing the design and improving the usability of RubyGems.org for all of our users.
- The new design aims to support the full range of devices/browser widths and (much to my relief) includes a dark mode theme!
- Learn more here
In September, RubyGems gained 168 new commits contributed by 17 authors. They were 1,852 additions and 802 deletions across 164 files.
RubyGems.org News
The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in September was provided by AWS, Fastly, and DataDog.
The following are highlights of what the team worked on this month:
Added Length Validations for User-Supplied String Attributes
- We added length validations for user-supplied string attributes to prevent users from adding a large amount of unexpected data to the pages we render.
- This improvement helps maintain application performance and security by ensuring that input data remains within acceptable limits.
Disabled Honeybadger & Datadog in local environments
- We disabled Honeybadger and Datadog from being initialized in local environments to prevent errors and unnecessary resource usage.
- These monitoring tools are configured and authenticated for production environments only, while local development setups do not have the necessary configurations. This fix ensures that Honeybadger and Datadog are active exclusively in production, maintaining a smooth and error-free experience for developers working in local environments.
In September, RubyGems.org gained 92 new commits contributed by 8 authors. There were 1,643 additions and 1,644 deletions across 157 files.
Ruby Ecosystem News
Here we outline additional exciting updates made to other projects in the Ruby Ecosystem.
Ruby Toolbox
These are highlights from the work done in Ruby Toolbox:
- To keep the Ruby Toolbox application orderly and running smoothly, we updated numerous dependencies on both the Ruby Toolbox Rails main application and the catalog repository, including upgrading to the latest
Ruby 3.3.5andRails 7.2.1. - We reviewed and merged the most recent contributions to the catalog, ensuring that submissions are up-to-date and meet quality standards.
Organization Accounts Update
We are making steady progress and are currently on track to have the new feature ready for users by the end of November. For details, check out this post. Development work on this project was made possible by funding from Alpha-Omega.
Total Spent
In September we spent $105,446.70 on development work.
Thank you
Thank you to all the contributors of RubyGems and RubyGems.org for this month! Your contributions are greatly appreciated, and we are grateful for your support.
Contributors to RubyGems:
- @deivid-rodriguez David Rodríguez
- @hsbt Hiroshi Shibata
- @byroot Jean Boussier
- @nobu Nobuyoshi Nakada
- @simi Josef Šimánek
- @marcoroth Marco Roth
- @segiddins Samuel Giddins
- @simi Josef Šimánek
- @composerinteralia Daniel Colson
- @djberube David J Berube
- @jeromedalbert Jerome Dalbert
- @martinemde Martin Emde
- @duckinator Ellen Marie Dash
- @voxik Vít Ondruch
- @earlopain Earlopain
- @y-yagi Yuuji Yaginuma
- @jonathanhefner Jonathan Hefner
- @tnir Takuya N
Contributors to RubyGems.org:
- @hsbt Hiroshi Shibata
- @martinemde Martin Emde
- @colby-swandale Colby Swandale
- @segiddins Samuel Giddins
- @simi Josef Šimánek
- @JuanVqz Juan Vásquez
If we missed you, please let us know so we can include you in our shout out!