RubyGems
Freiwillige Ex-ante-Transparenzbekanntmachung
Dienstleistungen
Abschnitt I: Öffentlicher Auftraggeber/Auftraggeber
Ort: Leipzig
NUTS-Code: DED51 Leipzig, Kreisfreie Stadt
Land: Deutschland
Kontaktstelle(n): Leo Lerch
E-Mail:
Internet-Adresse(n):
Hauptadresse: https://sovereigntechfund.de/
Abschnitt II: Gegenstand
RubyGems
The Ruby programming language is a dynamic, open source programming language with a focus on simplicity and productivity.
The Ruby programming language is a dynamic, open source programming language with a focus on simplicity and productivity. bundler is a tool for secure package management and part of the standard library of the Ruby programming language. It provides a consistent environment for Ruby projects by tracking and installing exactly the packages (RubyGems) and versions needed for a build. RubyGems manages the packages used for Ruby programming. The underlying servers manage billions of downloads every month. Ruby itself is widely used today due to its flexibility. Prominent companies that mainly use Ruby include Github, Stripe, or Airbnb, but also open-source projects such as Mastodon. Therefore,
they are an important resource and each of these applications depends on the smooth functioning and security of bundler and RubyGems.
This work describes timely and important improvements to the bundler and RubyGems ecosytem of tools. This includes, among other things, ensuring the compatibility of bundler with current operating systems and improving the performance of RubyGems to continue to ensure the functionality of the servers that have to withstand billions of downloads every month.
The goal of this is work is to provide improvements to the Ruby packaging ecosystem,
specifically:
Improve reliability for RubyGems.org global service:
● 150d Fund a paid 24/7 on-call rotation of 3-5 people, enabling rapid response to handle emergencies, incidents, or critical security issues.
● 2d Update and consolidate the Terraform repository
● 10d Infrastructure upgrades, including k8s, elasticsearch, and postgres
● 5d Deprecate and remove the legacy dependency API, the most frequent cause of degraded service
● 14d Automated review environments to easily test PRs, speeding up the development process while offering more chances to catch and resolve bugs. Quality of Life improvements for RubyGems maintainers:
● 20d Build simpler and more automatic admin tools to help users with problems, resolving problems more quickly and with less burden placed on maintainers: yank version, yank gem by name, disable user account by name or email, yank all gems by user account.
● 7d Deprecate and remove gem commands cert, lock, reducing surface area for bugs and eliminating unaudited legacy cryptographic signing scheme.
● 3d Create a GitHub action to release Bundler and RubyGems from CI
Increase support for organizations:
● 10d Add a permissions levels, so users can have permission to push gems without also having admin permissions to add and remove other users.
● 10d Build a Terraform provider to manage gem permissions, so that organizations can manage permissions for gems in the same place as other cloud permissions.
● 20d OIDC integration for RubyGems.org, improving security by avoiding permanent auth tokens.
● 40d SSO integration for organizations to allow easier and more automated account management.
● 60d Namespaces for organizations, to eliminate an entire class of name-confusion attacks.
Abschnitt IV: Verfahren
- Der Auftrag fällt nicht in den Anwendungsbereich der Richtlinie
As a research and development service, the contract is excluded from the scope of application of public procurement law (cf. Section 116 (1) No. 2 Act against Restraints on Competition).
Abschnitt V: Auftragsvergabe/Konzessionsvergabe
Ort: West Hollywood
NUTS-Code: US United States
Land: Vereinigte Staaten
Abschnitt VI: Weitere Angaben
Ort: Bonn
Land: Deutschland