00:00:15.639
hello hello I promise even though this is the same title as the state of ruby
00:00:21.039
gems talk last year we've edited some of the
00:00:26.679
slides so a little bit about me I am at se giddens if you've ever interacted
00:00:32.840
with bundler Ruby jems on GitHub you've probably seen that handle and this face
00:00:38.800
um I also go by Samuel and as mentioned I'm a maintainer of Ruby jems bundler
00:00:45.039
and rubygems.org and the security lead on those projects and uh thanks to AWS I
00:00:51.960
am the security engineer and Residence at Ruby Central and yes I have been writing bugs for a very long time so
00:01:00.600
welcome to sigor wait no wrong slide deck um that was yesterday's conference
00:01:07.600
talk we're in Chicago let's see if I can get this right welcome to my wedding note that was last trip to
00:01:16.640
Chicago I swear I know what I'm doing so you might be asking why does
00:01:23.439
Ruby Central have a security engineer why isn't there a like fun
00:01:29.439
engineer or a feature engineer a bug fixing engineer a make things go faster
00:01:36.560
engineer we'd love to get there but have to start somewhere and we chose to start
00:01:41.880
with security Now why start with a security
00:01:48.040
engineer as the first full-time engineering
00:01:53.200
hire well to quote from GitHub do you really know what's in your
00:02:03.520
software you might remember some uh thought leader a long time ago saying
00:02:08.920
hey software is eating the world that was 2011
00:02:14.599
and the meal is over the world has been consumed by
00:02:20.200
software software runs our lives from our bank accounts to the power grid and
00:02:27.080
most importantly delivering the memes that keep us entertained on a daily
00:02:37.239
basis that means that nowadays large Enterprises really focus on security
00:02:42.840
they have big security teams and they have large security road maps and like they have
00:02:47.920
a chief information security officer and a Chief privacy officer and all
00:02:54.640
that and small businesses as well have you know more liability than they did back in the day when security incidents
00:03:01.480
happen when data gets leaked or essential Services go offline and you know our governments are
00:03:09.400
kind of wagging their finger at us saying no
00:03:15.000
you got to focus on cyber security well the good news is my job is
00:03:22.560
to make security as easy as possible for all of you the Ruby community
00:03:31.400
I want to focus on the security stuff so you all can have fun and use your
00:03:37.760
favorite programming language and you know maybe make some money at work doing it up to you I don't
00:03:47.519
judge and we don't want security to get in the way we want to keep Ruby the best
00:03:53.319
and most Pleasant language to use for projects of all sizes whether you're a government contractor working in a
00:04:00.439
highly regulated industry or write scripts for fun on nights and
00:04:11.480
weekends it's still 2024 security is a really big part of
00:04:18.479
the ecosystem whether we see it or not it's uh you know the the set of things
00:04:25.639
that we care about when we evaluate Ruby the gy that we use and and so
00:04:33.240
on and that concern isn't going away it's getting bigger um government
00:04:40.280
agencies are publishing more white papers and using scarier language and
00:04:45.360
scare your attacks keep happening
00:04:51.360
now I know I'm a security engineer but I hate the alphabet soup of security as
00:04:57.440
much as anyone else uh raise your hand if you've ever heard
00:05:03.400
someone say salsa the CRA or as bomb or guac to
00:05:11.360
you not the guac that you get at Chipotle that one costs extra this one
00:05:17.919
you can produce for free um all that stuff isn't fun and I know
00:05:24.520
as well as everyone I just came from a a conference about supply chain security
00:05:30.240
and my eyes rolled at the one talk that repeated es bomb roughly two and a half
00:05:36.919
times every sentence unfortunately all these these
00:05:42.000
schemes and the the boxes that they check are must haves um if you're moving
00:05:48.880
money around or selling software to the government or making cars dealing with
00:05:54.880
People's Health Care data Etc checking these boxes
00:06:00.160
is not optional even if you wish it was and at the end of the day if Ruby
00:06:07.759
doesn't help you check the boxes that you need to check people are going to be forced to
00:06:13.840
leave the community and we don't want that we want people in the Ruby
00:06:19.400
Community to stay we want let's say big companies that are focused on um making
00:06:27.080
rubyan rails faster and making our idees have nice language support um we want
00:06:34.919
them to continue using Ruby so over the past 12 months of my
00:06:42.319
security residence I'd like to think I did a lot um my boss is in the room so
00:06:49.039
at the end of this if you can make it sound like I've had a really impressive year um that might be good for my year-
00:06:54.800
end review so this is just sort of a checklist we rolled out trusted
00:07:00.879
publishing last December we had a couple of major supply chain incidents the the number one of
00:07:07.400
which was XZ in March and uh as a result built tooling to make responding to that
00:07:14.080
stuff less miserable because I really don't like it when I get paged while on
00:07:19.560
the ski slopes on a family vacation uh wrote a Sig store Ruby
00:07:26.759
client um we had a security audit it and I helped lead the response to
00:07:32.560
that and this is my big project that I uh don't quite have wrapped up but stay
00:07:39.199
tuned I'm very productive at conferences I've been working on integrating sigstore into ruby gems and
00:07:46.039
bundler um and finally I've spent a lot of time working with my peers in different software ecosystems um sort of
00:07:53.680
defining what it means to be a modern packaging ecosystem to run a safe and
00:08:00.400
you know 2024 era uh software
00:08:07.919
repository I'd like to think that's meant I've they've had like extensive thought
00:08:13.240
leadership um and you know of course all the other stuff that being a maintainer on our team entails including I did the
00:08:21.080
math uh 2,190 hours of being on call for Ruby j.org so
00:08:30.560
trusted publishing it is a way to publish gems
00:08:36.479
using machine identities and such as uh GI of actions release
00:08:41.760
workflow instead of maintaining love lived credentials that sit who knows
00:08:49.240
where and uh I'd like to ask you to add it to your gym today have built a plugin
00:08:55.040
at rails comp for earlier in the year and uh you can run it with the handy
00:09:01.800
oneliner so far we've had 2400 versions published using trusted publishing from
00:09:08.760
almost 350 distinct gems and I'd like to challenge you all can we double that
00:09:14.560
number before we leave Chicago can you set up trusted publishing for like I'm
00:09:20.120
doing the math here three of your gems each we double that number
00:09:25.160
easy and in total those gem versions have been downloaded something like 260
00:09:31.959
million times there have uh also been you know a
00:09:39.800
number of high-profile gems that have adopted trust to publishing things like
00:09:45.320
addressable uh net IMAP and um this
00:09:50.360
small gem that you might have heard of that just got a big version bump
00:09:56.000
rails published using trusted publishing
00:10:01.120
we had a real wakeup call earlier this year about the extent to which nation
00:10:06.279
state actors view critical open- Source projects as an attack Target so we
00:10:12.120
started a project to index the content of every single gem that you all have
00:10:17.320
published we surface security events so you can sign on to your rubygems.org account and see uh who else has signed
00:10:25.680
on as you and who's made changes to the gems that you own
00:10:30.720
with the goal of reducing the amount of time it takes to detect and respond to
00:10:35.839
incidents declare them all clear so we can spend more time you know building
00:10:41.399
features instead of trolling through logs sigstore is a uh a complicated
00:10:50.760
project I won't pretend otherwise um the tagline of which is
00:10:56.680
making sure your software is what it claims to be so it is a cryptographically sound
00:11:03.079
system that allows me to hand you a Json file and you can prove using that Json
00:11:10.880
file and some public key cryptography that uh oh hey you you own
00:11:16.760
this GitHub repository and you published a tag and here's the commit from this tag and you ran a a GitHub actions
00:11:24.120
workflow called release. yaml and you built a file that happens
00:11:29.399
look suspiciously like a gem with this checkm you can prove that without having
00:11:36.000
any trust in rubygems.org that that's where an artifact came
00:11:43.040
from that allows me to say hey every release I use of this gem should come
00:11:48.560
from the correct GitHub repo and eventually it'll allow you to
00:11:53.639
say hey of those 389 AWS gems I depend on do they
00:12:07.040
performed by uh a well-known firm that specializes in open source security
00:12:13.800
called trail of bits they also completed uh audits of Homebrew and Pipi in the
00:12:19.240
past year um it was funded by our wonderful friends at Alpha Omega and you
00:12:25.600
can expect an in-depth retro on that whole process on our blog in the
00:12:32.360
next month now that I no longer have to take time to prepare for this talk but
00:12:37.560
don't worry rubygems.org is in good shape now I would love nothing more than
00:12:44.639
to spend let's be honest it would be more than an hour going into more detail
00:12:50.320
about all the security work that we've been doing over the past year so come
00:12:56.320
say hi and you know discuss Ruby and Ruby gem security this week um we have a
00:13:02.519
whole hack day to do that tomorrow and now because it has been a
00:13:07.839
long day I will hand you off to my uh more talented and well-rested teammates
00:13:24.959
the well-rested or more talented Sig story is
00:13:30.079
impressive uh I'm a principal engineer at Cloud City my name is Martin MD hello
00:13:35.800
um I've been a rubius since 2005 um I feel like at that point it's like plank
00:13:41.079
time it's like it's getting compressed into just very tiny amounts of starting early um I've been an open source
00:13:48.160
contributor almost as long um and two years with the Ruby jums
00:13:55.199
team so I'm going to tell you about the new design we're working on at Ruby
00:14:00.560
jems uh Ruby jems really needed a refresh um usability suffering I don't
00:14:05.880
know if you've used it um some of the patterns that we've been using they're not as I I think Sam would say 2024
00:14:14.480
era um and it was getting really hard to add new features so here's our new
00:14:24.480
design yeah it's not that's not actually so uh
00:14:30.360
yeah most of this is still ah yeah oh
00:14:35.680
my um so we're working on it um but one place where you can see it
00:14:44.079
is on your dashboard and if it looks so good it's
00:14:49.560
my designer's accomplishment I did the CSS and the classes and the the
00:14:56.240
divs um and we have a dark mode for the first time on Ruby Jes thank
00:15:01.920
you my eyes literally I I made the designer do it because my eyes were
00:15:07.000
hurting while I was working on it so I at night I work on the dark mode um but it's not all here yet
00:15:15.120
waiting is not easy so it will be coming I wanted to find
00:15:21.240
out how long we had used this design um and I went back to apparently
00:15:27.279
a decade ago during around Ruby comp time and that's the first time this new design showed up so this is we're
00:15:34.560
running on 2014 era packaging right now uh so I think we need 2024 era design to
00:15:41.279
go with the 2024 era package management um and I got curious so I went back a
00:15:46.639
little further this is 2010 some of you remember yeah 32 million downloads of
00:15:54.079
gems compared to 165 billion that is uh that's a big change um and then this is
00:16:01.519
even further 2007 packaging
00:16:06.880
Bliss um okay I made a minor mistake we already had a dark mode in
00:16:19.519
time lately on organization accounts so we received funding from alpha omega as
00:16:25.079
well to do organization accounts um and up in until today
00:16:30.720
managing multiple gems as a team you had a couple options you could use one account and share it very carefully AWS
00:16:38.639
rotates credentials regularly they're on top of it um you can add everyone to all
00:16:45.160
your gems you've seen a lot of lists of owners on gems um or you can get
00:16:50.959
ownership of a gem and then remove everybody else which
00:16:56.480
happens yeah uh so the first step towards organizations is a maintainer
00:17:01.959
role this is live now um it is like a miniature organization with one Gem and
00:17:07.240
you can still as a maintainer push gems uh but without all the remove
00:17:13.360
everyone um so this is some of the screens we are really excited to launch
00:17:22.120
it um our goals oops I there okay our goal for the
00:17:29.240
organization accounts is um it's opt in it doesn't disrupt any existing use
00:17:37.160
cases gem should still push everything should still work if if somebody adds a gem to an org you should just not notice
00:17:43.080
that it happened other than you get the invite um everything should keep working so that's like critical um and we want
00:17:49.880
to make sure that because these are critical changes they go they're very clearly described so we learned from our fellow
00:17:58.440
friends at the python packaging index um that when you approve names for
00:18:05.039
organizations manually you get so overwhelmed that they just declared bankruptcy there were too many so we
00:18:12.640
have decided an approach to naming orgs is that you name them after a gem that's
00:18:18.679
it you own the gem you can name the org that you don't own the gem you can't name the org that so that means because
00:18:26.400
the land rush is over on Ruby jems most most people already have the name that they want so if you don't already it's
00:18:33.840
you know it's probably already taken um and this is also the area in
00:18:39.200
which we take disputes so um name your org pick gems add people
00:18:47.880
and we're going to try to beta test this during the hack day so uh I will warn you it is not ready for production gems
00:18:54.480
so I cannot promise you'll be able to push a gem after it's added or that you'll be able to even see it I don't
00:19:00.520
know we'll see uh we're going to try to get that ready before we push it out but uh come and talk to me at hack day and I
00:19:12.440
Marty all right thanks Martin all right so I'm going to talk to you about the open source program uh as introduced by
00:19:19.400
Sarah I am the director of Open Source I uh recently started this Ro in August so
00:19:24.960
it's uh pretty new uh though you probably know I'm not new to Ruby Com or
00:19:30.240
to Ruby Central because I've been here quite some time fun fact this is my 19th
00:19:35.760
Ruby com I've been to all of them since 2006 so all right let's get going so
00:19:41.200
let's do a little history here uh I'm going show you this is a timeline of essentially Ruby Jims from its beginning
00:19:47.640
uh 2003 is actually when Ruby Jims was conceived and hacked at a ruby comp in
00:19:52.799
2003 and it but it wasn't released in 2004 I'm not going to go through all
00:19:58.120
these uh points in the timeline because I don't have the time but I'm going to talk to you we're going to focus a
00:20:04.039
little more on the last couple items U so in 2022 Ruby together emerged with
00:20:09.320
Ruby Central at that point Ruby Central now was uh owning the sort of uh hosting
00:20:16.280
of Ruby jems and also the maintenance of Ruby gims and so at that point we started thinking about how do we manage
00:20:23.159
and oversee this work in uh a fair way for a nonprofit like Ruby Central
00:20:29.159
so that led us to forming the open source committee with this purpose that
00:20:34.240
we have to do oversight we have governance and we need strategic guidance we also want to think about how does community engage with us through
00:20:41.400
this committee so we have three members of the committee we have Gabby Mike and euk
00:20:46.960
and I believe they're all at the conference so you can say hi to them if you haven't and uh they have a lot of
00:20:52.880
work to do with the committee but uh we just recently posted um on our website a little bit about the committee and some
00:20:59.159
history there so please read that if you're curious about all that now with the open source program uh
00:21:06.039
this QR code will go to a page on Ruby Central's website that talks about the program in a little more detail we're
00:21:12.080
going to I'm going to be going through a few of those pieces but the uh page has more detail But ultimately we're looking
00:21:17.360
at how do we maintain and improve critical infrastructure and tooling that you all need to build Ruby
00:21:23.240
apps so here's our mission not going to read this but there are really kind of three areas that we see in the mission
00:21:30.400
first there's maintaining ruby gems keeping it secure keeping it reliable enough for you to be able to rely on and
00:21:35.919
use uh we also think about how do we support impactful uh projects open
00:21:41.400
source projects in the Ruby ecosystem and I'll list out a few of those in a moment we think that there may be some
00:21:47.279
that are unmaintained that are still important to the community that maybe we should uh sort of adopt and give some
00:21:52.840
TLC so we consider that part of our mission as well and the third piece is how do we grow open contributors so that
00:22:00.240
we don't rely on the same 10 or so people that have been contributing but how do we have the Next Generation come
00:22:06.240
in so here's a list of our projects uh there are there are short descriptions for these if there any of those that are
00:22:12.200
unfamiliar to you on our website but I'll keep moving and here's our team uh
00:22:18.440
I will point out that Samuel is the only one that works full-time on this the rest of these uh individuals are doing
00:22:25.320
this part-time uh outside of their normal work so thank you
00:22:31.120
team so what did we do in
00:22:36.720
2024 all right fair fair kiny fair all right so uh 2024 we have an annual
00:22:42.760
report that we just published this is the first time we've ever done an annual report on our work uh in open source and
00:22:49.000
this QR code will take you to this this report is a web preview we'll be doing the finalized version by the end of the
00:22:56.039
year and which you can download and look over so here are some highlights uh
00:23:01.480
these are notable improvements that we've done with Ruby Jims and bundler I won't read them all out uh some of this
00:23:06.640
work actually was done by uh our companies in the ecosystem but these are all things that shipped with Ruby Jims
00:23:13.000
and bundler this year another piece that we did a lot of work on was the infrastructure upgrades
00:23:19.960
around Ruby j.org and how that is delivered and uh uh very pleased with that this all went without a hitch and
00:23:26.679
you didn't see any downtime so great job team so the other piece that I want to
00:23:33.440
highlight is that we have a steady release Cadence and we maintain this so we've did 24 releases of Ruby Jims and
00:23:39.000
bundler over the year and that was basically every month sometimes multiple releases in a month and that that meant
00:23:45.400
we had quick turnarounds on any bugs and security patches which is important so that you know if there's an issue we
00:23:50.600
address it quickly and get it out the door we've been having a 27 uh 24/7 on
00:23:56.840
call rotation for a while but this this year we added a secondary rotation to the on call and we had zero downtime so
00:24:03.840
100% up time and no major major outages this last year so Yay good job team and
00:24:09.120
that's 177,000 hours of on
00:24:15.039
call the last piece I want to highlight from 2024 is that we joined as associate members of two foundations to be active
00:24:23.080
in working groups focused on uh supply chain security so open ssf and the clip
00:24:28.640
Foundation we joined that this year and we are actively involved in these working groups and this is important because there is a thing called the CRA
00:24:35.440
or the Cyber resilience act that's going is coming that will be enforced for in the EU that we have work to do to be
00:24:43.000
ready for Sam already sort of alluded to this but this is important stuff
00:24:48.559
so so what are we doing in 2025 well we have uh four major pillars
00:24:55.480
that we're thinking about in terms of uh themes of our work we have developer experience security
00:25:01.120
stability and sustainability but before we get to the four pillars there is the foundation
00:25:06.880
that all this is built on because this is a mission critical service you all depend on this we think very much about
00:25:12.760
service up time we think about bug fixes and those regular releases we also do a
00:25:18.159
lot of customer service so people who get locked out of their accounts or have gym disputes this happens constantly for
00:25:24.559
the team and it is something that we have to stay on top of so that you all can and resolve whatever issue you might
00:25:30.320
have with Ruby gimps so let's talk about developer experience uh we think about this as
00:25:36.799
we're we're sort of aiding your develop your Dev tooling team uh The organizations's Works falls under this
00:25:42.559
we are thinking about name spaces for next year uh in collaboration with Ruby core and we also want to improve
00:25:48.399
documentation so that it's clear on how you know like there isn't differences between bundler documentation and Ruby
00:25:54.000
Jims documentation and that's been uh upgraded because it's probably also 2014 era documentation is my
00:26:01.440
guess security uh Samuel's already talked a bit about this but this is important uh one of the things that came
00:26:08.120
out of our security audit is there are some things we'd like to do around how we do uh Cloud infrastructure controls
00:26:13.559
that we'd like to work on and we also have some compliance work that we have to do and these are all things that we
00:26:19.039
have planned for 2025 as well as working with the security working
00:26:25.080
groups for stability uh we think about this as you all depend on this so we
00:26:30.360
want to make sure we're there for you when you're trying to do your builds and do your um deploys so we don't have
00:26:36.880
formal Disaster Recovery plan or Regional failover we haven't needed this and hopefully we won't need this but
00:26:42.600
that's maybe not the best uh plan for stability so we want to do that work in the coming year we also want to work on
00:26:49.360
our run books and our systems documentation and get it out of the the uh heads of our devs and into
00:26:55.080
documentation and there's also a piece around the cloud infrastructure where we want a stream so we can streamline that so we can bring up a new environment and
00:27:01.720
run say like a new organization's work there and test it out and not do that in
00:27:07.880
production but we're going to do it in production so but very carefully okay so
00:27:13.120
sustainability is the last pillar I want to talk to you about and this is for us so we can keep doing this for you all
00:27:18.840
and one of the things that I'll Focus the rest of my time on here is about recurring Revenue so the team has had a
00:27:25.200
lot of extra funding in the last couple years but funding hasn't been sustainable or has been reliable over
00:27:30.320
the years and so that's something that I want to solve and make better for our organization also we want improved
00:27:37.240
Internal Documentation so onboarding is easier for new developers because we also want to bring in the next generation of OSS
00:27:44.399
contributors so I have a question for you how should critical open- Source infrastructure be
00:27:54.080
funded with money well that's true so so so think you think about that
00:27:59.799
let's go let's do another history lesson here so I mentioned that infrastructure
00:28:05.720
funding has been provided by Ruby Central from the beginning and that was largely funded by conference proceeds so
00:28:12.080
before the pandemic we actually made money at conferences and it was great so we had as a nonprofit now we can funnel
00:28:17.960
this into ruby gems or into uh other uh projects and grants we can give out to
00:28:23.279
the community and so this paid for the infrastructure we also have donated servic
00:28:28.840
in like like fastly and AWS allow us to use our services for free essentially
00:28:34.600
and so that's very important too to reducing the cost of maintaining this for you all so that's the history of infrastructure funding for developer
00:28:42.000
funding here you can see it broken down it is largely has been and continues to be volunteer with the exception of in
00:28:49.480
2009 when someone was paid full-time to work and build bundler is part of the merb project uh there has never been
00:28:57.200
until now there's never been someone who spended fulltime to work on Ruby gims all that time so here's the
00:29:05.080
timeline so we break down funding into four different distinct sources we talked about donated services and I'll
00:29:11.559
I'll share those those um organizations that have supported us that way in a moment we have the membership program so
00:29:17.799
those of you who have joined the Ruby together membership program that's now under Ruby Central we thank you for your support that also helps pay for the uh
00:29:24.640
team's work we have a new program I'm going to talk about in a moment called the corporate sponsorship program which
00:29:30.120
is our thinking about how do we make this sustainable on a renewing uh fashion and then we had the program
00:29:36.640
specific funding Partners which we've kind of highlighted like Alpha Omega already and AWS they gave us money for a
00:29:42.840
specific purpose but that is not renewable so here are our donated Services we have AWS fastly data dog
00:29:50.679
Honeybadger Dean simple menio and AO all provide important services for free for
00:29:56.519
us to run Ruby gyms so thank
00:30:02.840
you for 2024 we have five standout funding partners that gave large
00:30:08.440
portions of funding to uh fund this work so Sovereign Tech agency the AWS which
00:30:14.760
funded Sam's uh uh security engineer work uh we have Shopify sidekick and
00:30:19.919
Alpha Mega so thank you all for your
00:30:26.159
support so what does that look like this is the breakdown of how that funding compares to uh itself and you can see
00:30:32.840
that over half is program specific funding and if you're recall one of the aspects of that is it's not renewable
00:30:38.880
meaning that 2025 if I don't go and raise some more money this pie will be
00:30:43.960
dramatically smaller which means we won't be able to continue to do all the work that we want to do and would love
00:30:49.720
to do for you all so with that I want to uh talk about the corporate sponsorship
00:30:55.120
program this is something we just just launched this page actually went live I think yesterday and this QR code will
00:31:01.000
take it to to that page and this is how we view our path of sustainability
00:31:06.320
because the thinking that we've had is that do we really want to have a very
00:31:11.960
small number of very large companies pay the the bulk of the uh funding provide
00:31:18.000
the funding for these or for this work or should we collectively as an organization as a community provide that
00:31:25.080
funding and we think that it's best for the ruik Community to collectively fund this work instead of relying on a
00:31:32.000
handful of small companies they may change their mind on funding this or not so please I would say uh visit this page
00:31:40.159
and think about like does it make sense for your company to somehow get involved in helping support this and we we would
00:31:47.080
like there to be a level for every company to be able to pitch in even if it's a small amount of like $1,000 a
00:31:53.200
year or something like that it all helps so how should we fund open
00:32:00.399
source one more thing I want to mention before we stop um uh we are thinking assuming that we are able to raise some
00:32:06.080
money we want to grow the team by adding another security engineer to join Samuel and an infrastructure engineer to help
00:32:11.840
us work on our AWS infrastructure and modernize things that we want to improve
00:32:17.279
so thank you everyone I hope you continue making Ruby awesome and join us
00:32:23.159
tomorrow at hack day we'll be there we look forward to you visiting us H during hack day and uh help out with Ruby Jims
