generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #455 from rubycentral/update-2024-12
Add December 2024 report for Ruby Central
- Loading branch information
Showing
1 changed file
with
45 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # Update 2024-12 | ||
|
|
||
| ## Organizations | ||
|
|
||
| We completed the code for managing organization members. There are a few places in our existing workflows where the new Organization isn’t fully represented yet. All of this functionality is locked behind a feature flag so it’s not visible to the public. | ||
|
|
||
| The next step is to test the onboarding flows internally before demoing the workflows with one of our key customers, the AWS gem team, to collect feedback. The goal in the next two months is to onboard a few customers in a private beta before moving to limited availability. | ||
|
|
||
| In November, we used up the remaining funds from the grant so the pace of work slowed down after RubyConf. We covered development through a mix of volunteering and selective use of our maintenance budget. We will explore how to fund the remaining work once we have a sense of its scope. | ||
|
|
||
| ## Samuel Giddins | ||
|
|
||
| ### RubyGems.org Security Audit | ||
|
|
||
| Samuel spent the first half of the (effective) month closing the loop on the RubyGems.org security audit. He addressed all the top findings, fixing the low hanging fruit and adding static analysis through Semgrep and Zizmor to prevent regressions on many of the fixes, since that is how Trail of Bits found them initially. In collaboration with Trail of Bits, he published two blog posts about the process, findings, and assessment of RubyGems.org's overall security posture: [RubyGems.org Completes First Security Audit With Trail of Bits](https://blog.rubygems.org/2024/12/11/security-audit.html) and [Auditing the Ruby ecosystem’s central package repository](https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/). | ||
|
|
||
| ### Sigstore | ||
|
|
||
| Samuel [improved the display](https://github.com/rubygems/rubygems.org/pull/5330) of trusted provenance on RubyGems.org and developed a [proof-of-concept to support JRuby in sigstore-ruby](https://github.com/sigstore/sigstore-ruby/pull/192/), addressing a gap noticed by many of the core ruby gems that had already adopted trusted publishing and sigstore signing. He also established infrastructure to track adoption of sigstore attestations among top gems, similar to the [Python Wheels website](https://github.com/meshy/pythonwheels). | ||
|
|
||
| ### Other Items | ||
|
|
||
| #### RubyGems 3.6 / Ruby 3.4 Release | ||
|
|
||
| Samuel addressed backwards/forwards compatibility issues and upgraded infrastructure to run on the latest release. | ||
|
|
||
| #### Prototyped Ruby Version Manager | ||
|
|
||
| Samuel created [chrb](https://github.com/segiddins/chrb) as a platform for a working group to experiment with new setups in their effort to standardize local ruby version management. This includes features like running a matrix of rubies that make maintaining core infrastructure like rubygems easier. | ||
|
|
||
| #### RubyGems SafeMarshal Improvements | ||
|
|
||
| Security improvements were made by hardening multiple classes used as gadgets in recent PoC, and addressing a buffer overread that allowed for arbitrary marshal deserialization. | ||
|
|
||
| #### Ruby Fuzzing | ||
|
|
||
| Samuel spent some time collaborating with Trail of Bits on the infrastructure needed to fuzz Ruby directly via [ruzzy](https://github.com/trailofbits/ruzzy). This culminated in a pair of bug reports: [`[BUG] object allocation during garbage collection phase reproduction`](https://bugs.ruby-lang.org/issues/20941) and [`Infinite loop when out of memory`](https://bugs.ruby-lang.org/issues/20942). We are hoping to continue pushing forward here with ToB's help as a background tack. | ||
|
|
||
| ## Marty Haught | ||
|
|
||
| Marty prepared a 2025 budget and roadmap for internal review. This was the first budget ever produced for the open source program. It included three variations based on how successful our fundraising efforts would be. Even with the pessimistic budget, we will be able to sustain lean operations. This would form the basis for a presentation Marty gave to our core sponsors on Dec 11th. He included 2024 accomplishments and the 2025 outlook based on current support. Initial feedback was that sponsors would like to see more detail in how open source funds were spent. This was valuable feedback as he made adjustments to the final annual report that will be prepared in January once our financials have settled. | ||
|
|
||
| Work began on the Terms of Service and Privacy Policy for RubyGems.org. Aaron Williamson shared a draft of the Privacy Policy that Marty will review and discuss with Aaron before sharing it more broadly with the team. Marty will be working on a data map to document how we process data on RubyGems.org. | ||
|
|
||
| Next up, Marty will oversee how the Organizations work can move forward with our limited budget and explore ways to fund the work. After that, he'll start the assessment of team access of cloud services and infrastructure. |