..

January 2025 Residency Update

A quick update on what’s been happening in the past month. Abbreviated, since there was both vacation and a sick week somehow squeezed in there.

Infrastructure Hardening RFQ

Along with Marty, Samuel has been working on honing in on the scope for some infrastructure hardening work. This is the big action item from last year’s RubyGems.org security audit, and figuring out how to ask for the work to be done is important – it will steer both the impact of the work as well as the cost.

sigstore-ruby

As of now, sigstore-ruby supports Ruby 3.4 is is on the latest version of the sigstore conformance test suite. A new minor release should be out pretty soon. Updating to use the latest sigstore conformance test suite took longer than expected, since it required updating the test setup to deal with the removal of detached signatures from the conformance test suite and it coincided with CI failures due to the ruby 3.4 release.

RubyGems.org Oncall Improvements

Over the past couple of months, we saw the rate of oncall pages increase from “basically never” to “several times a day”. These pages were almost entirely due to spurts of 5xx responses from the application, and they all self-resolved within a few minutes to an hour. This level of noise gets in the way both of getting work done, as well as being able to confidently monitor the site and respond to (more pressing) issues. A long investigation led to a four line fix (with about two orders of magnitude more in the commit message), and RubyGems.org is back to not paging the oncall rotation.

Ecosystem Data

Of course, a month with vacation time wouldn’t be complete if Samuel didn’t get to spend some time beating his “give me all the data” drum. There are two “big data” GitHub repos that were the result: gem-daily-downloads and rubygems-org-db-dumbs. The first has daily downloads by gem (but not by gem version) going back over a decade. The second is a CSV version of the RubyGems.org public database dump. By getting this data into CSVs, we’ve been able to start running some analysis, and here are some early takeaways:

  • The number of gem versions pushed has been experiencing constant growth over the past decade
  • Around 630 gems have a million or more downloads over the past 30 days
  • Around 10% of all gem downloads over that time period are attributable to the aws- gems
  • 15 of the top gems have already adopted sigstore signing
  • Around a third of the top gems have not received an update since before January 1, 2024

Other Items