Dependency Management

Summarized using AI

A Year of Ruby, Together

André Arko • September 23, 2016 • Sofia, Bulgaria

In the EuRuKo 2016 talk titled "A Year of Ruby, Together," André Arko, leader of the Bundler team and co-author of 'The Ruby Way', discusses the inception and progress of Ruby Together, a nonprofit organization focused on improving Ruby infrastructure. He emphasizes the growth of the Ruby community which has outgrown the previous volunteer-run model for maintaining resources like RubyGems and Bundler.

Key points of the talk include:

- Introduction to Ruby Together: Arko describes Ruby Together as a nonprofit that compensates developers to enhance Ruby infrastructure, including RubyGems and Bundler, fostering a sustainable ecosystem.

- Funding and Contribution: The organization is funded by nonprofit members, which can be individuals or companies using Ruby, and aims to ensure the resources are maintained sustainably.

- Growth and Challenges: Arko shares statistics showcasing the exponential increase in gem downloads and the substantial growth of gems available, which has not been matched with a corresponding increase in volunteering resources.

- Technical Challenges: He recounts a significant incident where rubygems.org was compromised, illustrating the necessity of having a dedicated, knowledgeable team to handle critical security issues and the limitations of relying on volunteers in emergencies.

- Benefits of Ruby Together: The organization has funded over 1,100 hours of developer time, leading to developments such as the new dependency resolver 'Milenio' in Bundler, improved error messaging, and the maintenance of RubyGems.

- Future Perspectives: Arko highlights the sustainability plan for the organization, emphasizing the need for more companies to join and support Ruby Together to maintain ongoing funding for developers and continued improvements.

- Call to Action: At the end of his presentation, Arko encourages companies to support Ruby Together to further enhance resources available to the community. He concludes with a reminder that the tools provided by Ruby Together are indeed substantial, signifying the collaborative effort behind the scenes for the growth of the Ruby community.

In summary, Ruby Together plays a critical role in ensuring the future of Ruby as an infrastructure by pooling resources from the community and addressing the increasing demands of the developer ecosystem, aiming for sustainable growth and improved experiences for Ruby developers.

A Year of Ruby, Together
André Arko • September 23, 2016 • Sofia, Bulgaria

EuRuKo 2016

00:00:03.560 Our next speaker is André Arko. He is the leader of the Bundler team and the co-author of 'The Ruby Way' book. He founded Ruby Together a year ago and he's here to discuss how it's been.
00:00:23.960 Thanks! Hi everyone, thanks for coming. Let me introduce myself a little bit, as you are all just getting to know me. My name's André Arko, and on the internet, I'm pretty much always André. That's my internet handle.
00:00:36.290 You might recognize me from my webpage. I work at Cloud City as a Ruby and Rails consultant, doing architectural consulting and senior development pairing, among other things. If your engineering team could use architectural consulting or senior development pairing, maybe we can talk later.
00:00:54.019 I co-authored a book that came out this year called 'The Ruby Way.' The first edition of 'The Ruby Way' is actually the book that I first learned Ruby from back in the early 2000s. I'm super happy to have updated it for Ruby 2.2 and 2.3. Now I have my own book that I can even use to prop up my monitor when it needs to be taller, which is pretty great.
00:01:19.520 I lead the team that works on Bundler. That's a completely different topic, and it has turned out to be a lot of hard work, but a really great way to learn about Ruby and interact with the whole community.
00:01:32.450 We've recently put a lot of work into making it clear how to contribute to Bundler and how to get started contributing to open source. If that's something that you’re interested in doing but feel like the way to do it isn't clear, I encourage you to talk to me later, either online or in person, and I would love to help you out with that.
00:01:58.850 The other project that I work on is the one that I'm actually here to talk about today, which is Ruby Together. Ruby Together is quite new; it has actually been around for just about 18 months. If you have heard of it, that's really cool! If not, well, I'm going to tell you a bunch more about it right now.
00:02:17.630 So what even is Ruby Together? Very briefly, Ruby Together is a nonprofit that pays developers to work on Ruby infrastructure, such as RubyGems and Bundler, in addition to the servers that run rubygems.org.
00:02:30.380 It receives funding from nonprofit members, which can be any person or company that uses Ruby. The work we fund is free for anyone who uses Ruby to utilize.
00:02:56.020 The reason this happened is ultimately that Ruby has kind of grown up. The Ruby community is a lot bigger than it used to be, and that means that the community has outgrown its roots as a volunteer-run set of infrastructure.
00:03:10.700 As you've probably noticed, Bundler has made it a lot easier to use gems than it used to be. Before long, possibilities to create gems also improved significantly. Over the six years that I've spent working on Bundler, the number of gems has multiplied.
00:03:39.320 There are now more than a hundred thousand named gems, and there are over a million versions of those hundred thousand named gems. The number of gem downloads has gone up exponentially.
00:04:02.959 In the first decade of RubyGems' existence, from around 2004 to 2014, there were approximately two billion gem downloads, which is super cool. Then 2015 happened, and from the beginning to the end, we served four billion gem downloads, which is like one decade's worth of downloads, and then twice as much in just one year.
00:04:32.150 Unfortunately, I have to say that we did not see the same increase in the number of people volunteering to work on Bundler and RubyGems. Most people don't realize this, but the team that works on rubygems.org is incredibly small; it has never had more than four people working on it at a time, and most often it only has two.
00:04:46.470 The Bundler team is even smaller; we have never had more than two people consistently working on it at any time. Most of the time, there has only been one person. All of those members are often juggling full-time jobs not related to Ruby, and they spend nights and weekends, along with some volunteers, giving up their time for the community.
00:05:16.590 This arrangement was sufficient during the decade when we served two billion gems, but it is not sustainable in the year that we served four billion gems.
00:05:35.789 Let me give you a single example from a few years back that encapsulates all the points that I'm trying to make. About three years ago, rubygems.org went down completely for an entire week.
00:05:54.810 The underlying reason was a substantial security issue. Depending on how long you've been working with Ruby, you may remember an incident where, if you were clever with your YAML, you could make a Rails app execute any code you wanted. The rubygems.org team was on top of things enough to bump the Rails version, so we weren't vulnerable anymore, but it turns out that if you decompress a .gem file, it's just a tarball.
00:06:28.500 Inside that tarball, there’s a YAML file that describes the gem, and someone realized that they could exploit that YAML by inserting clever code to execute when their gem was processed. This led to an entire compromise of rubygems.org, giving the attacker access to run any code they wanted on our servers. We had to take down the server completely, which took an immense amount of time.
00:07:54.320 We had to download every single .gem in existence and run checksums against them, comparing these checksums to those from mirrors and others who had saved gems before the server was compromised. We had no guarantees about the integrity of the gem files.
00:08:21.280 Luckily, it turned out the hacker was relatively benevolent and did not actually replace any gems maliciously. However, we needed to check every gem before we could allow anyone to install them again.
00:08:43.790 During this period, hundreds of developers showed up online offering to help. However, not a single one could do anything useful because none of them were familiar with how our systems worked.
00:09:02.640 After the crisis, when we reached out to the volunteers for follow-up help, we received no replies. The lesson I learned is that outside of an emergency, people often aren't inclined to contribute back to community resources.
00:09:28.110 At this point, many people ask me about companies that pay people to work on open source full-time. While there are exceptions, many businesses are more focused on their profits than contributing to the community. They enjoy the benefits without sharing the responsibility.
00:10:19.649 In the past, there were instances where companies did support Ruby, such as Engine Yard employing the entire Rubinius team. However, they can easily change direction, leaving essential projects unmaintained.
00:10:41.579 One of the main goals of Ruby Together is to distribute costs across many companies and individuals. Individual financial ups and downs shouldn't affect community resources; these resources should be sustainable for the entire community.
00:11:39.560 The way I started Ruby Together became clear after my years of experience with Bundler and RubyGems. I saw problems that were becoming apparent to me, but not everyone understood them. Companies had built remarkably successful businesses on Ruby open source, which made it look like everything was working well.
00:12:00.100 But I foresaw that we might not be able to scale and continue to support the community. I tried various experimental approaches like support contracts, feature bounties, and others, but none provided sufficient improvement.
00:12:23.620 Ultimately, the breakthrough came when a company, Stripe, asked if it would be easier to work on Bundler if they simply gave me money. Once I recovered from the shock of that question, I accepted.
00:12:47.940 Because of that funding from Stripe, I was able to explore different kinds of nonprofits, hire a lawyer, and eventually found Ruby Together as a legitimate U.S. nonprofit. We operate as a trade association, similar to the Linux Foundation or the jQuery Foundation.
00:13:16.800 The core idea is that many people and companies from a particular trade come together to pool their resources to achieve benefits that no single entity could afford alone.
00:13:49.600 Over the last year and a half, Ruby Together has paid for 1,100 hours of developer time, which sounds like a big number and indeed is! We've made substantial progress, including releasing five significant versions of Bundler.
00:14:18.620 In Bundler 1.9, we started using a new dependency resolver called 'Milenio', funded by a grant from Stripe, which is now shared between Bundler, RubyGems, and CocoaPods.
00:14:49.160 This means that if anyone finds a bug in any of those systems, the fix benefits all of them. In Bundler 1.10, we added new features, including a lock command and the ability to mute post-install messages.
00:15:17.300 In Bundler 1.11, we improved error messages significantly for conflicting requirements. We also shipped critical updates and optimizations in later versions, streamlining processes related to gem metadata.
00:15:47.530 Recently, we have also taken over the maintenance of RubyGems after a few years of lack of attention. We've released multiple updates, fixing bugs of all ages and ensuring our infrastructure runs smoothly.
00:16:10.560 We've increased security patches and implemented an entirely new system for deploying updates. We have improved both our Rails app and server-related infrastructure over the past year.
00:16:55.090 In addition, we started using Fastly as our CDN, providing better performance and troubleshooting capabilities. This shift enables more reliable gem availability for users across the globe.
00:18:21.010 We've worked hard to build a new tool called Gem Stash to help manage internal gems and create local copies of essential gems for quick access. This was directly made possible by funding and developer hours.
00:19:26.250 As we move towards releasing Bundler 2.0 and further plans to consolidate Bundler and RubyGems, we're excited about the improvements and efficiencies this will bring. These updates indicate our commitment to both sustainability and improved experiences for Ruby developers.
00:20:06.690 The last year and a half has been more successful than I anticipated. Ruby Together is now paying developers weekly, which leads to significant bug fixes and progress on both Bundler and RubyGems, surpassing the years prior to our establishment.
00:21:08.160 However, while we have seen consistent growth and new members in the past, our membership has plateaued in recent months. This stagnation could threaten our ability to continue funding developers at a sustainable rate.
00:22:01.960 We are appealing for more companies to join Ruby Together. We need the support of more businesses to sustain our growth and ensure continued improvements for the community.
00:22:31.960 What Ruby Together provides for individual developers is straightforward: free tools and hosting to facilitate sharing Ruby code. For companies, it is a more complicated system but holds substantial value for everyone involved.
00:23:40.070 We invite companies to support Ruby Together so that we can continue to work on Bundler, RubyGems, and all associated resources benefiting the Ruby community. Everything built with community funds will be shared freely.
00:24:04.480 Thank you for your time!
00:24:29.750 The work that you’re doing for the community is amazing. Many take these tools for granted without realizing the extensive labor and dedication involved behind the scenes.
00:25:19.050 By working together, we can improve our services and sustain the quality essential for the growth of the Ruby community.
00:25:59.910 Thank you again! Oh, by the way, I have some swag! I brought stickers and pins to share. If you're a member of Ruby Together or sign up now, please come get some stickers or a cool pin!
Explore all talks recorded at EuRuKo 2016
+23