Hello! Welcome to the March newsletter—now known as Ruby Central’s OSS Changelog.

As mentioned in our previous newsletters, we will now be sending out separate updates for the Open Source Program and general Ruby Central organization and community news.

You can expect our general Ruby Central newsletter (the Ruby Central README) in your inbox later this month.

Letter From Our Open Source Director

RubyGems has grown significantly in recent years, with a greater focus on stability and security to ensure you have the tools you need to build with confidence.

As we continue to mature, we’re putting stronger foundations in place to support that growth over the long term. This includes creating clear standards and processes for how RubyGems.org is managed.

While this might not be as exciting as solving tough engineering problems, it is an important part of the evolution of RubyGems. Without clear policies, we carry unnecessary risk, and we make it harder to act fairly and consistently across the board.

With this in mind, we partnered with a law firm that specializes in working with open source organizations to help us formalize a set of policies. And we are now opening a 60-day review and comment period for community members to weigh in. 

If you have thoughts on our new policies, we encourage you to send feedback to legal@rubycentral.org or join the conversation in the #oss-program-ruby-central channel on the Ruby Central Community Slack.

You can read my full letter on this matter here for more details.

Thank you for being part of this journey with us.

Best,
Marty Haught
Director of Open Source, Ruby Central

Open Source Program Announcements

Our seasoned security engineer in residence shares a lesson on dealing with malicious packages

  • Samuel Giddins pubished a blog post illustrating how a fictional package repository might handle a malicious package. Many in our community are unaware of the behind-the-scenes efforts in resolving compromised packages, and sharing this story sparked positive engagement. Read the blog post here: Dealing with Sham Packages.

RubyGems presentations in Poland

  • Sam presented at Ruby Community Conference 2025 last month. He gave a hands-on workshop on modernizing gem development practices, guiding maintainers through setting up trusted publishing and sigstore signing to improve the security and integrity of their gem releases.
  • He also led a session at the KRUG’s (Krakow Ruby User Group) February 2025 meetup about the future of Ruby supply chain security.
YouTube

RubyGems News

In February, we released RubyGems 3.6.4, 3.6.5 and Bundler 2.6.4, 2.6.5. These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include removing gem server from gem help to streamline command output, raising a clearer error message when RubyGems fails to activate a dependency, ensuring Bundler correctly considers gems under platform: :windows in the Gemfile when running on Windows with ARM architecture, and fixing a resolver issue caused by incorrectly defined version ranges.

Some other important accomplishments from the team this month include:

Upgrading Kubernetes cluster to v1.32 and our OpenSearch cluster to v2.17

  • We regularly update our infrastructure systems to ensure we’re taking advantage of the latest software features and security patches. This upgrade was scheduled and performed seamlessly without impacting users.

Developing wheels for RubyGems

  • A proposal is in progress to introduce "wheels" for RubyGems, improving the gem build process until every gem ships precompiled binaries.
  • This is better for security as it eliminates the need to execute code during installation. It’s also a huge improvement for the gem install experience thanks to removing the need for build tools, avoiding compilation errors, and reducing installation time. An outline of the project goals has been published at traveling.engineer, and implementation sketches are in the works.

Resolution improvements in Bundler

  • A release of Ruby 3.4.2 introduced incorrect gemspec dependencies for net-smtp, leading to multiple bug reports. To prevent similar issues in the future, Bundler now attempts to automatically fix incorrect dependencies in the lockfile whenever possible. When auto-fixing is not possible (e.g., in frozen mode), Bundler now provides clearer error messages to help users resolve the issue.
  • Depfu reported cases where Bundler 2.6 was unexpectedly downgrading dependencies. This was fixed by ensuring Bundler properly respects locked versions and re-adds necessary lower bound requirements.
  • Investigating these issues also led to fixing the only known issue in our resolver engine (pub_grub), improving Bundler’s dependency resolution logic.

RubyGems.org News

The updates made this month to RubyGems.org reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for RubyGems.org in February was provided by AWS, Fastly and Datadog.

The following are highlights of what the team worked on this month:

Fixed API key role creation for Buildkite

  • A system test was added to fix an issue where creating an API Key Role for Buildkite incorrectly assigned a GitHub Actions principal instead of the correct Buildkite principal. This happened because the form defaulted to GitHub OIDC settings, hiding the principal input and preventing users from changing it.
  • The fix removes the unnecessary principal assignment, allowing the correct value to be set automatically for GitHub Actions and Buildkite, ensuring smoother API Key Role creation.

RubyGems Ecosystem News

This is where we highlight exciting updates made to Ruby infrastructure projects that support our RubyGems work.

Sigstore

sigstore-ruby

  • The sigstore-ruby client is nearly ready for its 0.3.0 release, bringing improved spec compliance and JRuby support.
  • Adding JRuby support was particularly challenging, as it required the reimplementation of certain cryptographic operations using Java security APIs instead of relying on the jruby-openssl gem.
  • You can read more about the development of sigstore-ruby in Sam’s 2024 year in review.

Ecosystem adoption

  • A tracker has been launched to monitor sigstore adoption among the most popular gems: Are We Attested Yet?
  • Currently, 20 of the top gems are shipping attestations, and efforts are ongoing to help more maintainers integrate sigstore signing into their release workflows.

Thank You

A huge thank you to all the contributors to RubyGems and RubyGems.org this month! We deeply appreciate your support and dedication.

Contributors to RubyGems:

Contributors to RubyGems.org:

If we missed you, please let us know so we can include you in our shout-out!