Merge pull request #463 from rubycentral/update-2025-01

Add January 2025 update for Ruby Central

alpha/engagements/2024/RubyCentral/README.md

@@ -21,6 +21,7 @@ This engagement started in February 2024.
 * [September 2024](update-2024-09.md)
 * [October 2024](update-2024-10.md)
 * [November 2024](update-2024-11.md)
+* [December 2024](update-2024-12.md)
 
 ### Primary Contacts
 

alpha/engagements/2025/Ruby Central/README.md

@@ -12,7 +12,7 @@ Marty's staffing expansion started in December 2024. Samuel's staffing is a cont
 ### Monthly Updates
 
 * [December 2024](../../2024/RubyCentral/update-2024-12.md)
-
+* [January 2025](update-2025-01.md)
 
 
 

alpha/engagements/2025/Ruby Central/update-2025-01.md

@@ -0,0 +1,56 @@
+# Update 2025-01
+
+## Samuel Giddins
+
+### Infrastructure Hardening RFQ
+
+Along with Marty, Samuel has been working on honing in on the scope for some infrastructure hardening work.
+This is the big action item from last year's RubyGems.org security audit, and figuring out how to ask for the work to be done is important -- it will steer both the impact of the work as well as the cost.
+
+### sigstore-ruby
+
+As of now, sigstore-ruby supports Ruby 3.4 is is on the latest version of the sigstore conformance test suite. A new minor release should be out pretty soon. [Updating to use the latest sigstore conformance test suite](https://github.com/sigstore/sigstore-ruby/pull/207) took longer than expected, since it required updating the test setup to deal with the removal of detached signatures from the conformance test suite and it coincided with CI failures due to the ruby 3.4 release.
+
+### RubyGems.org Oncall Improvements
+
+Over the past couple of months, we saw the rate of oncall pages increase from "basically never" to "several times a day".
+These pages were almost entirely due to spurts of 5xx responses from the application, and they all self-resolved within a few minutes to an hour.
+This level of noise gets in the way both of getting work done, as well as being able to confidently monitor the site and respond to (more pressing) issues.
+A long investigation led to a [four line fix](https://github.com/rubygems/rubygems.org/pull/5392) (with about two orders of magnitude more in the commit message),
+and RubyGems.org is back to not paging the oncall rotation.
+
+### Ecosystem Data
+
+Of course, a month with vacation time wouldn't be complete if Samuel didn't get to spend some time beating his "give me all the data" drum.
+There are two "big data" GitHub repos that were the result: [gem-daily-downloads](https://github.com/segiddins/gem-daily-downloads) and [rubygems-org-db-dumbs](https://github.com/segiddins/rubygems-org-db-dumps).
+The first has daily downloads by gem (but not by gem version) going back over a decade.
+The second is a CSV version of the RubyGems.org public database dump.
+By getting this data into CSVs, we've been able to start running some [analysis](https://github.com/segiddins/rubygems-org-db-dumps/blob/f2f0b858670d88e0aa69fac663288a8804251d1e/analysis.ipynb), and here are some early takeaways:
+
+* The number of gem versions pushed has been experiencing constant growth over the past decade
+* Around 630 gems have a million or more downloads over the past 30 days
+* Around 10% of all gem downloads over that time period are attributable to the `aws-` gems
+* 15 of the top gems have already adopted sigstore signing
+* Around a third of the top gems have not received an update since before January 1, 2024
+
+### Other Items
+
+* Cache poisoning vulnerability fixed in RubyGems.org https://github.com/rubygems/rubygems.org/pull/5409
+* Added deletions and attestations to the RubyGems.org database dumps
+* 2024 year in review blog post https://traveling.engineer/posts/2024-in-review/
+
+## Marty Haught
+
+### 2025 Roadmap and Fundraising
+Marty shared the 2025 budget and roadmap with the OSS team and Ruby Central’s Board of Directors. It received positive reviews and awaits final approval from the board, which is expected in February.  The other important news is that we finalized our new positioning for our sponsorship prospectus, which was blocking our fundraising efforts. This will also be incorporated into our first annual report.  
+
+### Policy Work
+Marty worked with Aaron Williamson to draft the initial versions of an Acceptable Use and Terms of Service.  These have received a positive review by the team leaving our deletion (yank) policies as the last section to resolve before producing the final version.  We anticipate that this will be finalized and published in mid-February.
+
+### Organizations
+Marty reviewed what’s outstanding with the Organizations feature before starting beta testing in production.  We have allocated budget for the work to proceed in February.  Once that is complete we’ll give the AWS team a preview of the flows for their feedback.
+
+### Infrastructure Controls
+One of our big initiatives for 2025 came out of last year’s security audit.  We’re looking to improve the access and controls around our infrastructure.  We spent some time planning out how to proceed.  We are actively working with two experts in the space around a holistic proposal.  While we’re making progress, we suspect it will take several weeks to get to a final proposal.  
+
+The team discussed starting a small scope of the work while we finish the holistic proposal.  Marty will write up a proposal covering the goals of the full proposal while only defining a small initial phase around SSO access to AWS. This will allow us to start on an impactful part of the work while allowing more time to complete the rest of the proposal.