You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: alpha/engagements/2024/RubyCentral/update-2024-12.md
+10-20
Original file line number
Diff line number
Diff line change
@@ -8,48 +8,38 @@ The next step is to test the onboarding flows internally before demoing the work
8
8
9
9
In November, we used up the remaining funds from the grant so the pace of work slowed down after RubyConf. We covered development through a mix of volunteering and selective use of our maintenance budget. We will explore how to fund the remaining work once we have a sense of its scope.
10
10
11
-
12
11
## Samuel Giddins
13
12
14
13
### RubyGems.org Security Audit
15
14
16
-
- Closed the loop on the top findings to address
17
-
- Fixed all the low hanging fruit
18
-
- Added static analysis via Semgrep and Zizmor to prevent regressions on many of the fixes, since that is how ToB found them
19
-
- Collaborated with Trail of Bits to put out a pair of blog posts about the process, the findings, and our take on RubyGems.org's overall security posture
20
-
-[RubyGems.org Completes First Security Audit With Trail of Bits](https://blog.rubygems.org/2024/12/11/security-audit.html)
21
-
-[Auditing the Ruby ecosystem’s central package repository](https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/)
15
+
Samuel spent the first half of the (effective) month closing the loop on the RubyGems.org security audit. He addressed all the top findings, fixing the low hanging fruit and adding static analysis through Semgrep and Zizmor to prevent regressions on many of the fixes, since that is how Trail of Bits found them initially. In collaboration with Trail of Bits, he published two blog posts about the process, findings, and assessment of RubyGems.org's overall security posture: [RubyGems.org Completes First Security Audit With Trail of Bits](https://blog.rubygems.org/2024/12/11/security-audit.html) and [Auditing the Ruby ecosystem’s central package repository](https://blog.trailofbits.com/2024/12/11/auditing-the-ruby-ecosystems-central-package-repository/).
22
16
23
17
### Sigstore
24
18
25
-
-[Improved display](https://github.com/rubygems/rubygems.org/pull/5330) of trusted provenance on RubyGems.org
26
-
- Wrote a proof-of-concept to support JRuby in sigstore-ruby
27
-
- Lack of support was noticed by many of the core ruby gems, which have already adopted trusted publishing & sigstore signing
28
-
- Set up infrastructure to track adoption of sigstore attestations amongst top X gems, similar to https://github.com/meshy/pythonwheels
29
-
19
+
Samuel [improved the display](https://github.com/rubygems/rubygems.org/pull/5330) of trusted provenance on RubyGems.org and developed a [proof-of-concept to support JRuby in sigstore-ruby](https://github.com/sigstore/sigstore-ruby/pull/192/), addressing a gap noticed by many of the core ruby gems that had already adopted trusted publishing and sigstore signing. He also established infrastructure to track adoption of sigstore attestations among top gems, similar to the [Python Wheels website](https://github.com/meshy/pythonwheels).
20
+
30
21
### Other Items
31
22
32
23
#### RubyGems 3.6 / Ruby 3.4 Release
33
24
34
-
- Fixed backwards/forwards compatibility
35
-
- Upgraded infrastructure to run on latest release
25
+
Samuel addressed backwards/forwards compatibility issues and upgraded infrastructure to run on the latest release.
36
26
37
27
#### Prototyped Ruby Version Manager
38
28
39
-
-https://github.com/segiddins/chrb
40
-
- A place for a working group attempting to standardize on local ruby version management to be able to experiment with new setups
41
-
- Features like running a matrix of rubies that make maintaining core infra like rubygems easier
29
+
Samuel created [chrb](https://github.com/segiddins/chrb) as a platform for a working group to experiment with new setups in their effort to standardize local ruby version management. This includes features like running a matrix of rubies that make maintaining core infrastructure like rubygems easier.
42
30
43
31
#### RubyGems SafeMarshal Improvements
44
32
45
-
- Multiple classes used as gadgets in recent PoC were hardened
46
-
- Buffer overread that allowed for arbitrary marshal deserialization addressed
33
+
Security improvements were made by hardening multiple classes used as gadgets in recent PoC, and addressing a buffer overread that allowed for arbitrary marshal deserialization.
34
+
35
+
#### Ruby Fuzzing
47
36
37
+
Samuel spent some time collaborating with Trail of Bits on the infrastructure needed to fuzz Ruby directly via [ruzzy](https://github.com/trailofbits/ruzzy). This culminated in a pair of bug reports: [`[BUG] object allocation during garbage collection phase reproduction`](https://bugs.ruby-lang.org/issues/20941) and [`Infinite loop when out of memory`](https://bugs.ruby-lang.org/issues/20942). We are hoping to continue pushing forward here with ToB's help as a background tack.
48
38
49
39
## Marty Haught
50
40
51
41
Marty prepared a 2025 budget and roadmap for internal review. This was the first budget ever produced for the open source program. It included three variations based on how successful our fundraising efforts would be. Even with the pessimistic budget, we will be able to sustain lean operations. This would form the basis for a presentation Marty gave to our core sponsors on Dec 11th. He included 2024 accomplishments and the 2025 outlook based on current support. Initial feedback was that sponsors would like to see more detail in how open source funds were spent. This was valuable feedback as he made adjustments to the final annual report that will be prepared in January once our financials have settled.
52
42
53
43
Work began on the Terms of Service and Privacy Policy for RubyGems.org. Aaron Williamson shared a draft of the Privacy Policy that Marty will review and discuss with Aaron before sharing it more broadly with the team. Marty will be working on a data map to document how we process data on RubyGems.org.
54
44
55
-
Next up, Marty will oversee how the Organizations work can move forward with our limited budget and explore ways to fund the work. After that, he’ll start the assessment of team access of cloud services and infrastructure.
45
+
Next up, Marty will oversee how the Organizations work can move forward with our limited budget and explore ways to fund the work. After that, he'll start the assessment of team access of cloud services and infrastructure.
0 commit comments