Hello! Welcome to the February newsletter—now known as Ruby Central’s OSS Changelog.

As mentioned in our previous newsletter, we will now be sending out separate updates for the Open Source Program and general Ruby Central organization and community news.

You can expect our general Ruby Central newsletter (the Ruby Central README) in your inbox later this month.

Read on for announcements about our Open Source Program and a report of the OSS work we’ve done from the previous month...

Open Source Program Announcements

Want to support Ruby Central and our Open Source Program?

2024 was a landmark year for project work, as highlighted in our first Annual Open Source Report.

This was largely thanks to a few unique funding opportunities provided by some of our amazing partners.

However, as we kick off the new year, we’re back into lean maintenance mode as we actively work to raise funds before starting on some exciting new projects. Our 2025 project goals include:

  • The public launch of Organizations, which will help teams and businesses manage gems and users under a single umbrella.
  • An infrastructure modernization effort that will improve our security posture while addressing gaps in disaster recovery.
  • Preparations for the EU’s Cyber Resilience Act, which will impact the compliance requirements for software products using open source.

But we need support to help us bring it all to life.

Our corporate sponsors and sustaining members drive all of the work we do, and we can’t continue to grow without that support. With additional funding, we will be positioned to not just maintain and secure the tools we all rely on but continue to enhance and expand them.

If you’d like to support Ruby Central as a sustaining member, please explore our membership options and benefits. Membership starts at just $50/year, and every contribution helps us continue our important work.

We also have corporate sponsorship opportunities for businesses. Sponsorship is a direct investment in RubyGems, Bundler, and the core infrastructure that your technology relies on. Please reach out to our team at sponsorship@rubycentral.org to learn more about how you can get involved.

We look forward to sharing more of our 2025 roadmap soon and starting to roll out more updates with your support.

Until then, we’ll stay lean and focused on providing a secure and reliable RubyGems experience for all of you.

– Marty Haught, Director of Open Source at Ruby Central

Our Security Engineer in Residence’s year in review

Samuel Giddins has published a review of his 2024 work as Security Engineer in Residence at Ruby Central. It was a busy year with the sigstore work as the centerpiece. He finishes with an overview of what he’ll focus on in 2025.

RubyGems News

In January, we released RubyGems 3.6.3 and Bundler 2.6.3. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include adding the credentials file path to gem env, preventing fallback to evaluating YAML gemspecs as Ruby code, adding support for the Mise version manager file, and including Ruby 3.5 in Gemfile DSL platform values for better compatibility.

Some other important accomplishments from the team this month include:

Improvements to the Bundler documentation site

  • The end-of-year Bundler release required documentation updates, but the process was challenging due to warnings, outdated dependencies, and minor issues. Additionally, longstanding problems (such as poor SEO and broken links caused by recent structural changes in the rubygems/rubygems repository) needed attention.
  • To improve the site, we addressed build warnings, upgraded all dependencies, fixed broken links, and enhanced SEO to make the Bundler documentation easier to find and navigate.

Improved “multi-Ruby” lockfile support

  • In Bundler 2.6 we implemented several changes to allow the same lockfile to be used across different Ruby versions, however, a minor issue was reported related to this functionality.
  • To address this, we introduced an additional update to minimize lockfile changes when switching between Ruby versions, reducing unnecessary modifications and improving stability.

Bundler support for ARM architecture on Windows

  • Windows RubyInstaller2 added support for running Ruby on ARM architecture and we received a community contribution to enable Bundler compatibility. However, the existing Windows support code was somewhat cumbersome, making it difficult for the contributor to complete the implementation.
  • To resolve this, we reworked how platform: :windows is handled in the Gemfile, which was the primary blocker. We also refactored the logic to ensure that the :windows value can accommodate similar scenarios in the future.

RubyGems.org News

The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in January was provided by AWS, Fastly and Datadog.

The following are highlights of what the team worked on this month:

Fixed endless 5xx responses leading to pages

  • Rails returned response headers exceeding Nginx’s 4KB limit, triggering an upstream sent too big header error and causing persistent 502 Bad Gateway responses. The issue stemmed from the Redirector middleware, which generated 301 redirects with excessively long Location headers, particularly for api.rubygems.org. Debugging was further complicated by a logging issue that hid these errors.
  • We fixed the logging pipeline to correctly capture errors and updated the middleware to prevent oversized headers. This fix was tested and verified in staging, successfully resolving the 502 errors.

Upgraded to Ruby 3.4.1

  • We upgraded RubyGems.org to Ruby 3.4.1 to ensure compatibility with the latest Ruby version and take advantage of performance improvements and security updates.

Removed the Forwarded and X-Forwarded-Host headers

  • We removed the Forwarded and X-Forwarded-Host headers to enhance security and mitigate the risk of header spoofing attacks.

RubyGems Ecosystem News

This is where we highlight other exciting updates made to Ruby infrastructure projects that support our RubyGems work.

RubyGems.org stats back up

  • After a year or two of empty graphs, we got stats.rubygems.org back up and running!
  • All historical data is still present—only displaying the data stopped working, and we were finally able to figure that out and resolve it.
  • Now, it is once again easy to see the Ruby, RubyGems, Bundler, and CI versions that are installing the most gems from RubyGems.org.

Thank You

A huge thank you to all the contributors to RubyGems and RubyGems.org this month! We deeply appreciate your support and dedication.

Contributors to RubyGems:

Contributors to RubyGems.org:

If we missed you, please let us know so we can include you in our shout out!