Hello! Welcome to the April OSS newsletter—now known as Ruby Central’s OSS Changelog.

As mentioned in our previous newsletters, we will now be sending out separate updates for the Open Source Program and general Ruby Central organization and community news.

You can expect our general Ruby Central newsletter (the Ruby Central README) in your inbox later this month.

Open Source Program Announcements

Reminder: New Ruby Central and RubyGems Policies

Reminder that we are still in the review-and-comment period for the new policies for Ruby Central and RubyGems we announced on March 20th. We appreciate the feedback we have received so far and encourage you to voice any concerns (or appreciation). If you haven’t yet had a chance, please review them and follow the instructions to leave your comments here. Our goal is to have the policies go into effect on May 20th, 2025.

RubyGems News

In March, we released RubyGems 3.6.6 and Bundler 2.6.6. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include fixing an ENAMETOOLONG error when creating the compact index cache, showing clearer errors when writing a lockfile on a read-only filesystem, ****and updating bundle doctor to not report issues about unwritable files.

Some other important accomplishments from the team this month include:

Improving reproducible gem builds

• The RubyGems team implemented changes to make gem builds more reproducible based on recommendations from Giacomo Benedetti and William Enck.
• Their suggestions included setting a default SOURCE_DATE_EPOCH value of 315619200 and sorting metadata values in gemspecs. These updates improve compatibility with tools like Debian’s reprotest, making it easier to verify that gem builds are consistent across environments.
• This work was inspired by the paper An Empirical Study on Reproducible Packaging in Open-Source Ecosystems, which will be presented at the 2025 International Conference on Software Engineering.

Resolver performance improvements

• We've made significant performance improvements to Bundler's dependency resolution, thanks to recent contributions from Hartley McGuire.
• Initial changes focused on reducing object allocations in methods like Gem::Version#<=> and Bundler::Candidate#<=>. Further optimizations targeted the resolution algorithm itself, including improvements to the pub_grub resolver.
• As a result, Hartley reported a 60% speedup in bundle update time in his app after applying all patches. Huge thanks to Hartley for his contributions, and to John Hawthorn for maintaining pub_grub and helping refine its API to support these enhancements.

Wheels for RubyGems

• Progress continues on bringing a prototype for precompiled binary packages**,** or "wheels" to RubyGems. Samuel Giddins has defined a naming scheme for package files and finalized the set of identifying tags needed to support this across the Ruby ecosystem.
• Next steps include advocating within the Ruby community to help shift perceptions around precompiled binaries, and helping Rubyists understand that precompiled packages are actually more secure (no code execution at install time) and more ergonomic for users (no build tools or compilation delays). An RFC is also forthcoming.

Compact index cache now handles long path names

• Bundler now better handles long path names in the ****compact index cache, addressing an issue that could raise “Filename too long” errors—especially when using private servers like JFrog Artifactory.
• The fix was long delayed due to persistent CI failures, which were eventually traced to a Ruby on Windows bug that has since been resolved.
• As part of the debugging process, we also improved our test reliability by removing the use of FileUtils.rm_rf in Bundler specs, as it silently fails on cleanup errors and made diagnosing the issue harder. This change will help prevent similar issues in the future.

RubyGems.org News

The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in February was provided by AWS, Fastly and Datadog.

The following are highlights of what the team worked on this month:

Ecosystem data for Clickgems

• Marty collaborated with the ClickHouse team to finalize details for our partnership on Clickgems, the Ruby equivalent of the popular ClickPy site, which officially launched last week!
• Samuel Giddins led the effort to push RubyGems ecosystem data into ClickHouse, which now includes daily download totals and the latest public database dumps from RubyGems.org. Work is underway to roll out granular download data, made possible by retooling the Kirby log parser to stream data directly from the RubyGems.org CDN.
• This new level of insight will help the Ruby community better understand package usage trends and support maintainers in making more informed decisions, especially around platform support.

Database performance investigation after brief DoS

• A brief Denial of Service (DoS) incident targeting RubyGems.org prompted an investigation into web pages with heavy database queries.
• While no specific culprit was found, the incident served as a reminder of the need for strong visibility into database performance when operating a web system at scale.

Thank you

A huge thank you to all the contributors to RubyGems and RubyGems.org this month! We deeply appreciate your support and dedication.

Contributors to RubyGems:

• @segiddins Samuel Giddins
• @simi Josef Šimánek
• @martinemde Martin Emde
• @deivid-rodriguez David Rodríguez
• @hsbt Hiroshi Shibata
• @duckinator Ellen Marie Dash
• @devsheva Mateo Sheshi
• @nobu Nobuyoshi Nakada
• @saraid Michael Chui
• @cllns Sean Collins
• @taralbass Tara Bass
• @mbclu Mitch Clutter
• @jacobat Jacob Atzen
• @skipkayhil Hartley McGuire
• @rwstauner Randy Stauner
• @ioquatix Samuel Williams
• @giacomobenedetti Giacomo Benedetti
• @olleolleolle Olle Jonsson

Contributors to RubyGems.org:

• @simi Josef Šimánek
• @segiddins Samuel Giddins
• @hsbt Hiroshi Shibata
• @wooly Steve Bell
• @mghaught Marty Haught
• @colby-swandale Colby Swandale

If we missed you, please let us know so we can include you in our shout out!