Ruby Central announces Ruby Shield, a partnership between Ruby Central and Shopify
We’re thrilled to announce Ruby Shield, a partnership between Ruby Central and Shopify that underscores our shared commitment to security work. This partnership will allow Ruby Central to focus more on security and general Ruby and Rails infrastructure development and maintenance. Ruby Central operates rubygems.org, the primary Ruby software registry, and supports development of tools such as Rubygems and Bundler.
As many in our community know, Shopify has long had a team dedicated to supporting Rails. Their team has recently started dedicating more effort towards contributing and maintaining rubygems.org for the betterment of the entire Ruby ecosystem. Shopify will also support Ruby Central with a donation to the organization made over the next four years, which we plan to use to hire security-focused developers. While Shopify’s financial support will not result in any additional privileges, preferences, or access to Ruby Central decision-making, Ruby Central is excited to see new feature proposals like enhanced software signing projects, widely desired by a large portion of the community.
The Ruby community is important to us at Ruby Central and our mission is to support the community in its entirety. Shopify understands the critical role which Ruby Central plays in the Ruby community and is committed to supporting Ruby Central's empowerment of all Ruby developers. We look forward to potentially working with more companies on similar opportunities in the future as the Ruby community and ecosystem continues to grow and thrive.
Why is this good news for the Ruby community?
Many of the tools Ruby developers use every day to manage their open-source dependencies are supported almost entirely by volunteers or Ruby Central funding. With Shopify’s support, Ruby Central will now be able to confidently plan security and stability initiatives on a timescale of years. This work will improve the tools used by upstream open-source contributors, the many libraries that the entire community uses in production, as well as tools directly used by Shopify.
Why is Shopify investing in supply chain security?
Open-source supply chains are increasingly under attack. Sonatype reports that supply chain attacks increased 650% YoY in 2021. At the same time, open-source demand (73% YoY increase in downloads) and supply (20% YoY growth of new component versions) are exploding.
Shopify is already working with the OpenSSF and the supply-chain maintainers in other ecosystems – Python, Node.js, Rust, PHP, and Java – to find solutions to shared problems and collaborating with Ruby Central is the next step.
Shopify is committed to building high-trust, open-source communities and Ruby Shield will help maintain this sense of security and trust under the stewardship of Ruby Central.
What is Ruby Central's role in the Ruby open-source ecosystem?
Ruby Central has been funding work on the critical infrastructure used by the Ruby Community since 2003, and hires engineers who are working on rubygems.org and the Ruby developer toolchain. Ruby Central also operates the primary repository of Ruby open-source software (rubygems.org) which adds a lot of direct value to the community. Shopify’s commitment will help Ruby Central confidently plan their engineering budget, take on new security-related projects, improve the cycle time for contributors, and make Ruby open-source more secure.
How else have Shopify and Ruby Central worked together?
Shopify is a long-time sponsor of RubyConf and RailsConf, which go directly to helping fund Ruby Central activities and initiatives. This new partnership helps Ruby Central provide more to the Ruby Community than we could funding the activities solely via the conferences.
What influence does this partnership give Shopify over Ruby Central?
This was an important consideration in Ruby Central moving forward the partnership. After discussion with Shopify and amongst the Ruby Central directors, the agreement was formulated as a donation without strings. Both parties have made it clear that usage of the donation is at the discretion of Ruby Central. As a good steward of the Ruby community, Ruby Central plans to disclose how the funds were used both for full transparency on the partnership as well as to highlight the work that was done.
What is Shopify's role in the Ruby open-source ecosystem?
Shopify engineers proudly use Ruby and Rails as their primary tech stack, handling business for millions of merchants and entrepreneurs worldwide. Shopify also employs many Ruby Core and Rails Core team members who frequently contribute to open-source projects and are excited to work with Ruby Central so that Ruby and Rails can continue to thrive and be tools which easily scale for every company who uses them.
How much is Shopify contributing to Ruby Shield?
Shopify is committing $1 million USD to Ruby Central over four years, in addition to committing dedicated Engineering effort from Shopify’s Ruby and Rails Infrastructure team.
How will Ruby Central spend these funds?
Ruby Central will use this money primarily to invest in improving Ruby’s supply chain, including operations and security engineering work. Some ideas include rubygems.org scaling and stability; better package signing; increasing support for multi-factor authentication; maintaining commonly-used libraries; and generally improving common tools like Bundler.
But these are just suggestions! The Ruby Central team will continue to steward programming, projects, and initiatives in the most impactful direction for the community.
Shopify and Ruby Central will work together to periodically publish a report about the work being done to make Ruby better and more secure.
To send feedback to Ruby Central, email email@example.com.
August 10, 2022