We’re excited to announce our second partnership with the German Sovereign Tech Fund (STF) to support Ruby Central’s open source maintenance, development, and security work on Bundler and RubyGems. These tools are critical infrastructure which hundreds of thousands of Ruby developers rely on to do their work every day, including those at GitHub, Stripe, Airbnb, Mastodon and more. Our development team has a long track record of delivering year-over-year improvements to Ruby's public infrastructure since 2009.

The STF supports the development, improvement, and maintenance of critical open digital infrastructure. It seeks to strengthen the open source ecosystem, focusing on security, resilience, technological diversity, and the people behind the code. This investment is a continuation of a pilot partnership between the STF and Ruby Central from 2022-2023. We’re grateful to have our work recognized again as indispensable to the long-term health of the open source ecosystem.

This investment will support our developers as they work on our extensive Bundler and RubyGems roadmap, which includes items like:

Make life better for all Ruby developers by:

  • Adding new functionality in Bundler to support e.g. editor tooling (aka `bundle compose`), resolving longstanding user requests and pain points
  • Verifying links from gem metadata, to prevent gems from listing unrelated websites
  • Integrating the bundle-stats gem into Bundler
  • Integrating the bumbler benchmarking tool into Bundler
  • Integrating the bundle-audit security tool into Bundler
  • Integrating the extended-bundler-errors plugin into Bundler to improve error messages when gem installations fail
  • Creating a content view to show the exact actual contents of gem packages, which may differ from the repository contents
  • Adding a diff view, showing changes between gem versions, to make it easy to see exact changes
  • Maintaining and expanding the popular Ruby Toolbox guide, providing detailed information and suggestions for libraries that can be installed and used via Bundler and RubyGems
  • Expanding the rubyapi.org documentation website to include not just API docs for Ruby itself, but also documentation for gems, replacing previously useful but now deteriorating sites like apidock.com and rdoc.info

Improve reliability for our global service by:

  • Funding a paid 24/7 on-call rotation of 3-5 people, enabling us to quickly respond to handle emergencies, incidents, or critical security issues.
  • Updating and consolidating our Terraform repository
  • Making infrastructure upgrades, including k8s, elasticsearch, and postgres
  • Deprecating and removing the Legacy Dependency API, the most frequent cause of degraded service
  • Developing automated review environments to easily test PRs, speeding up the development process while offering more chances to catch and resolve bugs.

Increase support for gem publishing organizations by:

  • Adding permissions levels, so users can have permission to push gems without also having admin permissions to add and remove other users.
  • Building a Terraform provider to manage gem permissions, so that organizations can manage permissions for gems in the same place as other cloud permissions.
  • Adding OIDC integration for RubyGems.org, improving security by avoiding permanent auth tokens.
  • Adding SSO integration for organizations to allow easier and more automated account management.
  • Developing namespaces for organizations, to eliminate an entire class of name-confusion attacks.

Make life better for RubyGems maintainers by:

  • Building simpler and more automatic admin tools to help users with problems, resolving problems more quickly and with less burden placed on maintainers: yank version, yank gem by name, disable user account by name or email, yank all gems by user account.
  • Deprecating and removing gem commands `cert`, `lock`, reducing surface area for bugs and eliminating unaudited legacy cryptographic signing scheme.
  • Creating a GitHub action to release Bundler and RubyGems from CI

Make life better for gem creators by:

  • Building and releasing a GitHub action to release gems securely using OIDC and ephemeral access tokens
  • Creating per-version daily, weekly, and monthly download graphs to show real world usage changes over time
  • Updating Gemstash to include support for the compact index
  • Extracting a reference implementation of the compact index with documentation
  • Updating `gem generate_index` to generate compact index files
  • Supporting and documenting using a static server (e.g. S3) as a gem source that includes the compact index
  • Revising support for gems with extensions written in Rust, improving documentation and user experience

Thank you to the STF for funding our work! We look forward to the ways this investment will help us provide more robust maintenance and free open source tools that ultimately strengthen the Ruby ecosystem and serve the whole Ruby community.