RubyGems & Bundler (2023)

Both Bundler and RubyGems are indispensable tools for using Ruby. Many applications in many contexts rely on their regular maintenance and improvement, as well as their ongoing usability. A failure of the RubyGems servers or Bundler losing functionality would have a major impact worldwide. By improving the hosting platform for gems, they improve software production security and help protect the Ruby ecosystem from threat of supply chain attacks. These two tools are therefore critical infrastructure, not only for the developers who use them, but for countless public and private services used by hundreds of millions of people every day.

There are many open source projects that use Ruby or the Ruby on Rails framework. Some examples of popular open source projects using Ruby include:

• Discourse, a platform for online discussion forums
• GitLab, a web-based Git repository manager
• Jekyll, a static site generator
• Mastodon, a free, decentralized, and open-source social network
• Spree Commerce, an open-source e-commerce platform downloaded over 1.5 million times from RubyGems
• Metasploit, an industry-standard security research tool
• Homebrew, the most popular package manager for MacOS
• Code.org, a popular computer science education curriculum

As one of the Sovereign Tech Fund’s pilot projects (October 2022 through May 2023), the following work was commissioned: maintenance on Bundler, RubyGems, and the RubyGems.org service. This work ensures Bundler’s compatibility with current and upcoming operating systems, improves the performance of RubyGems.org for billions of monthly downloads, and that security and reliability issues can be addressed quickly and decisively. Investments were also made in higher-level tools to improve the lives of Ruby developers, in projects like Gemstash, the Ruby Toolbox, and Ruby API online documentation.

In 2023 and 2024, the STF has commissioned Ruby Central, a non-profit organization dedicated to promoting and sustaining usage of the Ruby programming language, to perform the following work:

Improve reliability for RubyGems.org global service, including a paid 24/7 on-call rotation of 3-5 people, enabling rapid response to handle emergencies, incidents, or critical security issues; infrastructure upgrades (Kubernetes, Elasticsearch, PostgreSQL); deprecate and remove legacy APIs; automated review environments to test more easily and speed up the development process.

Remove pain points, improve efficiency, and workflow tools for RubyGems maintainers: admin tools to help users and resolve problems; deprecate and remove certain commands to reduce future bugs as well an unaudited legacy cryptographic signing scheme

Increase support for organizations: namespaces for organizations to eliminate name-confusion attacks; adding multiple user permissions levels; a Terraform provider to manage permissions for gems; improving security on rubygems.org; better and automated account management;

Improvements for gem creators: download graphs per version to show real world usage changes over time; release gems securely; increase compact index support, which speeds up determining which gems in use are compatible with each other, and improves security, caching, corruption-detection, while reducing server costs and bandwidth usage.

Improvements for Ruby developers: new functionality based on user requests; a view to show package contents (not just repository contents); a view to show changes between versions; expansion of and maintenance on Ruby Toolbox guide, making it easier for developers to start using Ruby; expanding the rubyapi.org website to include documentation on the Ruby language itself as well as APIs.