|
| 1 | +--- |
| 2 | +title: February 2025 RubyGems Updates |
| 3 | +layout: post |
| 4 | +author: Gift Egwuenu |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +Welcome to the RubyGems monthly update! As part of our efforts at Ruby Central, we publish a recap of the work that we’ve done the previous month. Read on to find out what updates were made to RubyGems and RubyGems.org in February. |
| 9 | + |
| 10 | +## RubyGems News |
| 11 | + |
| 12 | +In February, we released RubyGems [3.6.4](https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#364--2025-02-17), [3.6.5](https://github.com/rubygems/rubygems/blob/master/CHANGELOG.md#365--2025-02-20) and Bundler [2.6.4](https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#264-february-17-2025), [2.6.5](https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#265-february-20-2025)[.](https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md#263-january-16-2025) These releases bring a series of enhancements and bug fixes designed to improve the overall developer experience with RubyGems. Notable improvements include removing [`gem server` from `gem help` to streamline command output](https://github.com/rubygems/rubygems/pull/8507), raising a [clearer error message when RubyGems fails to activate a dependency](https://github.com/rubygems/rubygems/pull/8449), ensuring Bundler correctly [considers gems under `platform: :windows`](https://github.com/rubygems/rubygems/pull/8428) in the Gemfile when running on Windows with ARM architecture, and fixing a resolver issue caused by [incorrectly defined version ranges](https://github.com/rubygems/rubygems/pull/8503). |
| 13 | + |
| 14 | +Some other important accomplishments from the team this month include: |
| 15 | + |
| 16 | +**Upgrading Kubernetes cluster to v1.32 and our OpenSearch cluster to v2.17** |
| 17 | + |
| 18 | +- We regularly update our infrastructure systems to ensure we’re taking advantage of the latest software features and security patches. This upgrade was scheduled and performed seamlessly without impacting users. |
| 19 | + |
| 20 | +**Developing wheels for RubyGems** |
| 21 | + |
| 22 | +- A proposal is in progress to introduce **"wheels" for RubyGems**, improving the gem build process until every gem ships precompiled binaries. |
| 23 | +- This is better for security as it eliminates the need to execute code during installation. It’s also a huge improvement for the gem install experience thanks to removing the need for build tools, avoiding compilation errors, and reducing installation time. An outline of the project goals has been published at [traveling.engineer](https://traveling.engineer/posts/goals-for-binary-gems/), and implementation sketches are in the works. |
| 24 | + |
| 25 | +**Resolution improvements in Bundler** |
| 26 | + |
| 27 | +- A release of Ruby 3.4.2 introduced incorrect gemspec dependencies for `net-smtp`, leading to multiple bug reports. To prevent similar issues in the future, Bundler now attempts to automatically [fix incorrect dependencies in the lockfile](https://github.com/rubygems/rubygems/pull/8483) whenever possible. When auto-fixing is not possible (e.g., in frozen mode), Bundler now provides clearer error messages to help users resolve the issue. |
| 28 | +- Depfu reported cases where Bundler 2.6 was unexpectedly downgrading dependencies. This was fixed by ensuring [Bundler properly respects locked versions](https://github.com/rubygems/rubygems/pull/8491) and re-adds necessary lower bound requirements. |
| 29 | +- Investigating these issues also led to fixing the [only known issue in our resolver engine (pub_grub)](https://github.com/rubygems/rubygems/pull/8503), improving Bundler’s dependency resolution logic. |
| 30 | + |
| 31 | +## [RubyGems.org](http://rubygems.org/) News |
| 32 | + |
| 33 | +The updates made this month to [RubyGems.org](http://rubygems.org/) reflect a strong commitment to improving user experience, enhancing security, and modernizing the platform. Sponsored hosting for [RubyGems.org](http://rubygems.org/) in February was provided by [AWS](https://aws.amazon.com/?ref=rubycentral.org), [Fastly](https://www.fastly.com/?ref=rubycentral.org) and [Datadog](https://www.datadoghq.com/?ref=rubycentral.org). |
| 34 | + |
| 35 | +The following are highlights of what the team worked on this month: |
| 36 | + |
| 37 | +**Fixed API key role creation for Buildkite** |
| 38 | + |
| 39 | +- A system test was added to fix an issue where creating an [API Key Role for Buildkite incorrectly assigned a GitHub Actions principal](https://github.com/rubygems/rubygems.org/pull/5434) instead of the correct Buildkite principal. This happened because the form defaulted to GitHub OIDC settings, hiding the principal input and preventing users from changing it. |
| 40 | +- The fix removes the unnecessary principal assignment, allowing the correct value to be set automatically for GitHub Actions and Buildkite, ensuring smoother API Key Role creation. |
| 41 | + |
| 42 | +## **RubyGems Ecosystem News** |
| 43 | + |
| 44 | +This is where we highlight exciting updates made to Ruby infrastructure projects that support our RubyGems work. |
| 45 | + |
| 46 | +### Sigstore |
| 47 | + |
| 48 | +**sigstore-ruby** |
| 49 | + |
| 50 | +- The **sigstore-ruby** client is nearly ready for its **0.3.0 release**, bringing **improved spec compliance** and **JRuby support**. |
| 51 | +- Adding JRuby support was particularly challenging, as it required the reimplementation of certain cryptographic operations using Java security APIs instead of relying on the `jruby-openssl` gem. |
| 52 | +- You can read more about the development of sigstore-ruby in [Sam’s 2024 year in review](https://traveling.engineer/posts/2024-in-review/?ref=rubycentral.org#sigstore-ruby). |
| 53 | + |
| 54 | +**Ecosystem adoption** |
| 55 | + |
| 56 | +- A tracker has been launched to monitor sigstore adoption among the most popular gems: [Are We Attested Yet?](https://segiddins.github.io/are-we-attested-yet/) |
| 57 | +- Currently, 20 of the top gems are shipping attestations, and efforts are ongoing to help more maintainers integrate sigstore signing into their release workflows. |
| 58 | + |
| 59 | +## Thank you |
| 60 | + |
| 61 | +A huge thank you to all the contributors to RubyGems and [RubyGems.org](http://rubygems.org/) this month! We deeply appreciate your support and dedication. |
| 62 | + |
| 63 | +### Contributors to RubyGems: |
| 64 | + |
| 65 | +- [@segiddins](https://github.com/segiddins) Samuel Giddins |
| 66 | +- [@simi](https://github.com/simi) Josef Šimánek |
| 67 | +- [@martinemde](https://github.com/martinemde) Martin Emde |
| 68 | +- [@deivid-rodriguez](https://github.com/deivid-rodriguez) David Rodríguez |
| 69 | +- [@hsbt](https://github.com/hsbt) Hiroshi Shibata |
| 70 | +- [@johnnyshields](https://github.com/johnnyshields) Johnny Shields |
| 71 | +- [@edouard-chin](https://github.com/Edouard-chin) Edouard Chin |
| 72 | +- [@y-yagi](https://github.com/y-yagi) Y Yagi |
| 73 | +- [@saraid](https://github.com/saraid) Michael Chui |
| 74 | + |
| 75 | +### Contributors to [RubyGems.org](http://rubygems.org/): |
| 76 | + |
| 77 | +- [@martinemde](https://github.com/martinemde) Martin Emde |
| 78 | +- [@simi](https://github.com/simi) Josef Šimánek |
| 79 | +- [@segiddins](https://github.com/segiddins) Samuel Giddins |
| 80 | +- [@hsbt](https://github.com/hsbt) Hiroshi Shibata |
| 81 | +- [@yob](https://github.com/yob) James Healy |
| 82 | +- [@kachick](https://github.com/kachick) Kenichi Kamiya |
| 83 | + |
| 84 | +*If we missed you, please let us know so we can include you in our shout out!* |
| 85 | + |
| 86 | +--- |
| 87 | +Learn more about contributing to RubyGems by visiting the RubyGems Contributing Guide. We welcome all kinds of contributions, including bug fixes, feature implementation, writing and updating documentation, and bug triage. |
0 commit comments