This is a web preview of Ruby Central's FIRST Annual OSS Report, for 2024, sharing everything we've been working on over the last 12 months and the impact of our work. We will be publishing a finalized report by the end of this year.

Executive Summary

From November 2023 to November 2024, Ruby Central’s Open Source Program made significant progress in enhancing the infrastructure and security of RubyGems, Bundler, and RubyGems.org, building a stable and resilient foundation for Ruby developers and organizations.

This inaugural open source report is intended to be released annually near the beginning of Q4 and coincide with RubyConf. It highlights our achievements, sponsors, team, and future plans. By sharing insights into our open source work, we aim to attract new funding and partnerships to ensure the long-term success of the Ruby ecosystem.

Mission

The mission of Ruby Central’s Open Source Program is to maintain a secure, reliable ecosystem for the Ruby programming language. Our focus is on strengthening and sustaining Ruby’s core tools—including RubyGems.org, Bundler, and other essential infrastructure—to meet the needs of developers at every level, from individual creators to teams within large tech companies. By building and supporting key open source projects, we are empowering the Ruby community to work with confidence and ensuring that Ruby remains a top choice for software development.

Highlights of the Year’s Achievements

This year, Ruby Central’s Open Source Program focused on initiatives to enhance security, stability, and usability across the Ruby ecosystem. Here are three standout achievements:

Trusted Publishing

Trusted Publishing is a new feature that enables secure, automated gem publishing through OpenID Connect (OIDC), allowing developers to publish directly from trusted environments like GitHub Actions without needing long-lived API tokens. For example, a developer can set up a GitHub Actions workflow to automatically publish a gem after tests pass without manually handling sensitive tokens. This streamlines the publishing workflow and ensures that the code in public repositories matches the released gems, all while meeting organizational security standards. By introducing Trusted Publishing, we are enhancing the security and reliability of the Ruby supply chain on RubyGems.org.

24/7 On-Call Support with Secondary Rotation

Over the past year, we achieved ~99.99% uptime on RubyGems.org, with zero major outages and rapid resolution of minor degradations—an important achievement given that all Ruby applications depend on this infrastructure. 

To ensure rapid response to any incidents, we provided 24/7 on-call support and strengthened coverage by adding a secondary rotation of on-call engineers. Our focus on monitoring and reliability will help us continue to build the trust and confidence of developers and organizations that deploy and maintain Ruby applications.

Organization Accounts (Coming Soon)

The upcoming Organization Accounts feature is a highly anticipated release that will give companies and development teams more control over their gems through structured permissions management. With Organization Accounts, teams can assign and adjust roles, ensuring that only authorized users can manage specific gems. As team members change, permissions can be easily updated, helping to prevent disruptions and maintain continuity in gem management. This is especially valuable for large organizations like AWS, which manage hundreds of gems with many contributors. 

The release will roll out in two stages: first, with dedicated admin access controls within RubyGems, allowing organizations to manage permissions and add or remove members. The second stage will enable them to officially link their gems to their organization, providing added security and transparency across the ecosystem. We will be sharing a preview of this work at RubyConf.

You can read more about these and other open source achievements in the “Ruby Central Open Source Summary” section below.

Vision

Our vision for 2025 centers on three core pillars: Security, Stability, and Sustainability.

Security remains our highest priority, driving our continued efforts to strengthen supply chain protections and refine our cloud infrastructure controls.

Stability is essential for ensuring uninterrupted service, and we are dedicated to enhancing disaster recovery planning and operational documentation to prepare for any challenge.

Sustainability focuses on establishing stable funding for ongoing maintenance and essential projects, enabling the growth of team contributions, and ensuring that Ruby’s foundational infrastructure is supported for years to come. 

Funding Partners

Ruby Central’s work is supported by our funding partners:

  • Sovereign Tech Agency (Formerly Sovereign Tech Fund): Funds critical infrastructure and security enhancements, including work on Trusted Publishing.
  • Shopify (Ruby Shield Program): Supports key development work to improve the reliability and security of Ruby’s core infrastructure, including contributing to Trusted Publishing.
  • AWS: Sponsors our Security Engineer in Residence, Samuel Giddins, whose work has included developing Sigstore integration for RubyGems, enhancing Trusted Publishing capabilities, refactoring API security, and improving RubyGems performance through optimizations and security patches.
  • Alpha-Omega Project: Supports specific projects like the Organizations feature and a security audit by Trail of Bits to strengthen RubyGems.
  • Individual and corporate members: Ongoing contributions from individual and corporate members help sustain essential development and maintenance across Ruby Central’s open source ecosystem.

We’re grateful to all our sponsors and members for their commitment to building a secure and resilient foundation for Ruby’s future.

About Ruby Central, RubyGems, Bundler, and the OSS Committee

About Ruby Central 

Ruby Central is a non-profit organization dedicated to advancing the Ruby programming language and fostering a welcoming, diverse global community. Since 2001, we have been creating online and offline spaces—such as RubyConf and RailsConf—that allow Rubyists to connect, engage, and learn from each other. 

In addition to hosting events, we now support Ruby’s foundational infrastructure through our open source program, which launched in 2022 following our merger with Ruby Together. Through these combined efforts, we are sustaining the core infrastructure and providing essential resources that empower all Ruby developers to build, collaborate, and innovate.

Core Programs

​​Ruby Central’s efforts span several core programs designed to support and advance Ruby:

  1. Community support and growth: We support the Ruby community by organizing events like RubyConf and RailsConf and creating educational resources. 
  2. Open source infrastructure: We maintain and enhance crucial tools like RubyGems.org and Bundler, providing developers with a secure, dependable environment to manage and share Ruby libraries.
  3. Security initiatives: We are committed to protecting the Ruby ecosystem against evolving threats through initiatives like Trusted Publishing, Sigstore integration, and an external security audit of RubyGems.org. 
  4. Funding and partnerships: We collaborate with corporate sponsors and community stakeholders to secure funding for projects, enabling us to maintain RubyGems.org and support initiatives that drive Ruby’s long-term success.

RubyGems and Bundler’s Role in the Ruby Ecosystem

For nearly two decades, RubyGems and Bundler have served as the core infrastructure that enables Ruby developers to create, share, and install gem libraries with ease. This infrastructure has become indispensable in Ruby development, particularly for teams working with Rails, where they play a vital role in the setup, deployment, and maintenance of applications. 

A Timeline of RubyGems and Bundler’s Evolution

  • 2003: RubyGems was conceptualized at RubyConf (hosted by Ruby Central), marking the start of a standardized package management system for Ruby.
  • 2004: RubyGems launched, simplifying the installation and management of gem libraries for developers.
  • 2009: Bundler was developed to address dependency conflicts, ensuring compatible libraries within Ruby applications.
  • 2010-2014: Saw widespread adoption of RubyGems and Bundler, with significant contributions from Yehuda Katz, supported by Engine Yard.
  • 2015: Ruby Together was founded by André Arko to support ongoing maintenance of RubyGems and Bundler after Engine Yard stepped back.
  • 2019: Funding and sustainability challenges lead to merger discussions between Ruby Together and Ruby Central.
  • 2022: Ruby Together merged with Ruby Central, creating a unified organization to oversee Ruby’s core infrastructure and community initiatives.
  • 2023: Ruby Central formed the Open Source Software (OSS) Committee to implement a formal governance structure for RubyGems, Bundler, and RubyGems.org.

The Open Source Committee 

The Open Source (OSS) Committee was formed by Ruby Central in 2023, following our merger with Ruby Together. The committee is responsible for long-term strategy, governance, and funding for Ruby’s core open source tools, including RubyGems, Bundler, and RubyGems.org.

Over the past year, the OSS Committee focused on critical infrastructure improvements, bolstering security measures, and building a sustainable contributor pipeline. Key initiatives included implementing structured governance, enhancing alignment with industry security and compliance standards, and securing consistent funding from corporate sponsors and community partners. Through these efforts, the committee is laying a strong foundation for technical advancement and community resilience.

To learn more about the Open Source Committee, you can read the announcement post on our blog.

Ruby Central Open Source Summary (Nov 2023 - Nov 2024)

Major Projects and Developments

Trusted Publishing and Sigstore Integration

In late 2023, we introduced Trusted Publishing, a feature based on OpenID Connect (OIDC) that enables secure, automated gem publishing from trusted environments like GitHub Actions. By eliminating the need for long-lived API tokens, Trusted Publishing reduces security risks and streamlines the publishing process for developers.

Additionally, we have been focused on ongoing work with Sigstore, with the goal of creating a reliable system for signing and verifying gem attestations without persistent signing keys. Over the past year, we developed the Sigstore ruby client (a task made challenging by our constraint to avoid native code outside the Ruby standard library) and are now working to integrate it into RubyGems, Bundler, and RubyGems.org. Once fully incorporated, Sigstore will enable developers to confirm the authenticity of published gems, establishing a strong foundation for dependency provenance. This work will also help bolster broader industry standards for software provenance through our collaboration with OpenSSF’s Securing Software Repositories working group.

Security and Multi-factor Authentication (MFA) Enhancements

In response to a reported MFA vulnerability (CVE-2024-21654), RubyGems.org underwent extensive security improvements to its authentication processes. We revised MFA requirements, enhanced test coverage, and aligned with OWASP security guidelines to strengthen user authentication. This has improved security for login, password reset, and email confirmation by enforcing two-factor authentication across the platform. 

Looking forward, we are considering implementing mandatory MFA for all users in order to align with industry best practices.

Infrastructure Upgrades

This year, we implemented a series of targeted infrastructure upgrades to bolster the reliability, security, and scalability of RubyGems.org. Key updates included:

  • Kubernetes platform upgrade: We transitioned RubyGems’s Kubernetes cluster to the latest version, improving container orchestration, optimizing resource allocation, and enhancing system stability.
  • OpenSearch cluster upgrade: We upgraded OpenSearch, which significantly improved the resilience and speed of data retrieval. This is critical for handling the ever-growing dataset of Ruby gems and delivering fast search results to users.
  • PostgreSQL versioning: We upgraded PostgreSQL across major versions through a controlled, manual migration process, ensuring compatibility and security without any downtime.

Additionally, we implemented Datadog Cloud Security Management (CSM), enabling continuous, real-time monitoring of potential vulnerabilities. This allows us to identify and respond to security risks swiftly and provides our team with an added layer of visibility into infrastructure health. 

Bundler Lockfile Checksums

In December 2023, we launched Bundler Lockfile Checksums as an opt-in feature to ensure that production environments deploy the exact dependencies used during development. This is a security feature that protects against supply chain attacks, such as split view and artifact replacement, by verifying that the deployed packages match the authoritative versions provided by RubyGems.org. Essentially, Bundler Lockfile Checksums offer many of the benefits of a binary transparency log but without the need for extensive infrastructure modifications.

Building this feature required nearly two years with the involvement of four engineers. Challenges included managing the variety of gem sources, ensuring authoritative checksums for package versions, and onboarding existing Bundler projects without compromising on security. We adopted this feature in our own production environment for RubyGems to verify dependencies and ensure compatibility with other users.

We have been gathering user feedback throughout the initial rollout and are working to further refine and enhance this feature (such as adding more controls and an interface to streamline usage) before releasing it to the public in December 2024.

Organization Accounts for RubyGems.org

The new Organization Accounts feature is a powerful permissions management framework that allows teams to manage gem access and roles within a secure, structured environment. This feature is especially useful for large organizations such as AWS that manage extensive gem libraries and require streamlined permission control. Associating gems with an organization also enhances security by mitigating the risk of misrepresentation with gem naming. 

This feature marks a significant step forward in aligning RubyGems with enterprise needs. It is also a stepping stone toward future work, such as scoped gems, SAML/OpenID authentication, and other enterprise features that might offer future revenue.

This feature is being rolled out in two phases, with internal permissions launched this year and full organizational connections to gems coming shortly after. This work will be previewed at RubyConf 2024 in Chicago.

Notable Fixes and Performance Improvements

Caching Git Gems

In response to challenges highlighted by Github, we have implemented improvements to Git-based gem caching, addressing issues that previously created redundant processing for dependencies stored in Git repositories. These improvements streamline dependency management across complex projects, reducing unnecessary fetch operations and improving efficiency for developers working with Git-managed gems.

Bundler auto_install Enhancement

In collaboration with Gusto, we expanded Bundler’s auto_install feature to operate seamlessly across any command that invokes code updates. Previously limited to specific commands, this improvement reduces repetitive bundle install steps, ensuring that any changes to dependencies are automatically installed. The enhancement has proved particularly valuable for large teams, significantly optimizing their workflows and minimizing redundant manual intervention.

Project-specific Gem Caches

We made significant updates to project-specific gem caching, enhancing dependency management for environments that require a contained gem cache, such as offline or self-contained setups. By resolving issues with dependencies sourced from Git rather than gem servers, projects can now maintain a local cache without additional scripts or workarounds. Positive feedback from GitHub and other organizations indicates that these changes have greatly simplified workflows for teams relying on isolated gem environments.

Gem Rebuild

The “gem rebuild” command enables verification of a .gem file by confirming it was generated from an expected source (provided that the gem supports reproducible builds and the source is available). This tool is useful for auditing and compliance, allowing developers to ensure that gems remain consistent with their original source code.

Security Audit

Through support from the Alpha-Omega Project, Ruby Central partnered with Trail of Bits for a comprehensive security audit on the RubyGems.org Rails application and its underlying AWS infrastructure. 

The audit identified 33 issues, including seven medium-severity items and one high-severity item. Notably, most of these findings do not constitute actual security breaches. Our team has been addressing each finding and using these insights to bolster RubyGems’s security posture.

Overall, the audit attests to the effort that the core team has put into ensuring RubyGems.org is secure and reinforces that we are working in the right direction with our efforts to implement more of our infrastructure as code and to codify and constrain our access policies.

Community and Ecosystem Support

Ruby Toolbox Maintenance and Enhancements

To mark its 15th anniversary, we have made a series of significant updates to Ruby Toolbox, enhancing its functionality and compatibility with current versions of Ruby and Rails. We also had to optimize the backend to handle larger data volumes, as the download count of the Bundler gem exceeded the integer column size that was originally chosen for the Postgres table that stores them.

We also implemented a partial and regularly updated production database dump that can be easily imported into local environments, allowing developers to load a realistic dataset on their machines quickly by running bin/pull_database. We also configured a default setup for GitHub Codespaces so users can instantly launch a cloud-based development environment for Ruby Toolbox. These updates have made it faster and easier for contributors to explore and work with the codebase.

Additional features will include security vulnerability reports and comparative code size metrics, providing developers with a clearer picture of their gem dependencies. These insights aim to offer a more comprehensive view of library size, dependency trees, and potential security considerations.

Community Engagement

Over the past year, Ruby Central hosted RubyConf and RailsConf, which served as key events for Rubyists to exchange knowledge, discuss emerging trends, and collaborate on Ruby’s future. Our open source team also focused on building tools and resources that cater to developers of all skill levels, from beginners to advanced contributors. These efforts reinforce Ruby’s reputation as an accessible and resilient programming language and community.

Impact Summary

Impact of open source from November 1st, 2023 to Oct 31st, 2024:

  • Total number of contributors to RC’s open source projects:
    • 98 unique contributors to RubyGems/Bundler
    • 34 unique contributors to RubyGems.org
  • Total number of downloads/installs of RC tools and packages:
    • Over 34 billion gem downloads
    • Bundler downloaded 570 million times 
  • Total investment:
    • $1,150,000+

Open Source Team 

Our OSS work is driven by these key contributors (listed alphabetically):

André Arko is a Ruby and Rails developer with over 20 years of experience. As a key member of the Bundler and RubyGems core teams and author of The Ruby Way, 3rd Ed., André has also built projects like cuberule.com and sunchaser.io, aiming to make life easier for on-call developers.

Arun Agrawal is a longtime Ruby developer since 2007, with contributions to the Rails framework and various open source projects. His work spans web applications and infrastructure management for platforms like RubyGems.org.

Ellen Marie Dash manages vulnerability reports for RubyGems, coordinating with HackerOne to maintain security across the ecosystem.

Gift Egwuenu is a Developer Advocate at Cloudflare with over seven years of web development experience. Specializing in developer relations, Gift contributes actively to open source initiatives, including writing monthly updates for RubyGems, and is passionate about making complex technology accessible.

Martin Emde is a Principal Engineer at Cloud City Development and core maintainer of RubyGems.org and Bundler. Known for his collaborative and open-minded approach, Martin values curiosity and inclusive problem-solving. He lives in the mountains of California with his family.

Samuel Giddins is the Security Engineer in Residence at Ruby Central, where he leads security efforts for RubyGems and RubyGems.org. With over a decade working in Ruby tooling, Samuel is committed to safeguarding the ecosystem.

Marty Haught leads Ruby Central’s Open Source Program as the Director of Open Source. An avid community builder based near Boulder, Colorado, he founded the Boulder Ruby group and has been an active member of the Ruby community since 2005. Outside of tech, Marty enjoys channeling his creativity into baking and cooking, much to the delight of his family.

Irene Kannyo is the managing editor for the Ruby Central Newsletter and serves as the OSS Content Marketing Manager . She provides support with technical writing and editing for the monthly OSS report and other OSS content.

David Rodríguez contributes actively to the Bundler and RubyGems ecosystems, strengthening tools that serve the Ruby community.

Colby Swandale is a core contributor to RubyGems.org and creator of rubyapi.org. Dedicated to enhancing Ruby tooling, Colby aims to empower developers to build applications with greater ease.

Josef Šimánek is a Ruby developer with over 15 years of experience based in Prague, Czech Republic. Passionate about database systems, particularly PostgreSQL, Josef actively collaborates with the community to build tools that make development more impactful.

Get Involved

There are numerous ways you can get involved with Ruby Central’s Open Source Program:  

  • Contribute code to RubyGems
  • Join the conversation in the Bundler Slack
  • Read our RFCS and provide feedback: github.com/rubygems/rfcs
  • If you think you've found a security issue, please report it via HackerOne
  • Become a sponsor of Ruby Central to help fund our crucial work (details coming soon)