In case you missed it, in 2022, we launched Ruby Shield, our open source funding partnership with Shopify.
The mission of Ruby Shield is to increase work on Ruby security, strengthen our current infrastructure, and make Ruby development safer and more stable for the community. We are excited to bring on security-focused developers, provide more robust maintenance for rubygems.org, and implement new community-priority feature proposals.
Importantly, we’d like to reiterate that Shopify will not have any additional influence over Ruby Central’s decisions, processes or events. No individual or company can dictate our priorities, and our work will (as always) aim to benefit the Ruby community as a whole. As promised in the Ruby Shield announcement, we are sharing program updates with the community so you can see how our work moves forward — transparency is an important value for everyone at Ruby Central. We hope to share updates like this a few times a year.
Read on for our first update!
New Projects
Since we launched Ruby Shield last year we’ve started several projects:
Global On-Call Rotation
For the past two years, RubyGems.org maintenance has been a mainly US-based volunteer effort with some paid help when we could get it. This setup stretched our small team thin and often left them with little room for breaks.
We’ve now hired paid infrastructure engineers and implemented a “follow the sun” on-call rotation, meaning we have someone awake and on-call during their own daytime, around the world, every day. This allows us to provide consistent coverage for potential issues 24 hours per day. It even includes enough slack to allow individuals to take time off without forcing anyone to take overnight shifts, hopefully making the work more sustainable in the long run.
RubyGems.org Scaling and Maintenance
We also have been able to invest in the long-term stability of RubyGems.org. Some progress we’ve made on this since the Ruby Shield launch include:
- Resolving AWS deprecations
- Postgres version upgrade
- Kubernetes version upgrade
- Upgraded search servers from ElasticSearch 7.10 to OpenSearch 1.3.
- Released RubyGems 3.4 and Bundler 2.4.
You can take a closer look at the development work we’ve done in our monthly updates.
Securing RubyGems
Ruby Shield funding has also allowed us to focus on securing the trustworthiness of gems. We’ve added an OpenSSF scorecard to GitHub and GitHub Actions, migrated the git protocol from http:// to the more secure https:// and added support for Hardware Security Tokens & Passkeys (aka WebAuthN).
Support Tools
Finally, we are adding more tools for the maintainers who support developers using RubyGems.org. Specifically, we are setting up admin tools to reduce time spent on routine support requests like 2FA resets, spam, abuse, etc. This will reduce the burden on maintainers and also allow non-maintainers to assist.
What’s Up Next?
Long-deferred projects
As we’ve mentioned, Ruby Shield allows us to plan security and stability initiatives on a timescale of years instead of days.
- Continue upgrading our infrastructure to keep everything running smoothly
- Improve the user experience for RubyGems and Bundler, with built-in checksum verification for gems, faster performance, easier to understand error messages, and shortcuts for common tasks
- Increase information available about each gem, including better download counts, easier access to gem contents, and eventually version diffs and code search
- Investigate ecosystem security opportunities like The Update Framework and Sigstore
Expanding even further
We plan to continue expanding and building on the work we’ve started with Ruby Shield. We’ve identified more financial support options for this work, including The German Sovereign Tech Fund, the Plaintext Group OSS Virtual Incubator, the NLnet Foundation, and the Comcast Innovation Fund. We’re also hoping to collaborate with other language distributors like Python, Perl, and Rust to share best practices and learn from each other’s mistakes.
Your Name Here
We are grateful to the team at Shopify for working with us to financially support this project. This work wouldn’t be possible without it.
But why let them have all the fun? If your company is interested in supporting this work (or something else), get in touch with us - we’d love to talk more about how you can support the Ruby developers on your team as well as the rest of the world.
And if you’re an individual developer who wants to support Ruby infrastructure and community work, consider joining us as a supporting member. Individual members subscribe at a sliding scale amount, which supports Ruby Central and our work. Membership benefits are a work in progress, but more fun perks are on the way.
You can also attend RailsConf or RubyConf to support our work or join the conferences as a sponsorship partner. All of this helps us support the Ruby community.
Ruby Community Input
As a community organization, our goal is to support and grow the Ruby community around the world, but we can’t do it as well without you.
- Would you like to contribute to any of these projects?
- Are there any programs or projects you think we should be prioritizing which would benefit the Ruby community?
- Do you have a new project, or feature idea?
We want to hear from you! Send your feedback or suggestions to our team at contact@rubycentral.org.
Thanks for reading!