This last week, the Ruby world was jittery. What happened, though, has far wider ramifications.

The whole situation is still unclear, but here’s my current understanding.

The Ruby Central organization is partly funded by corporate sponsors. Some of these companies apparently became concerned about so-called supply-chain vulnerabilities, where malicious parties were injecting bad code into libraries.

It seems that maintainer access to the RubyGems archive was fairly informal. Over the years, access had been given to folks who needed it. Sometimes this access was still open even though the individuals no longer worked on gems. The financial sponsors of Ruby Central (quite rightly) viewed this as a threat, and demanded that Ruby Central take action.

Ruby Central had apparently been given a deadline. The day that deadline expired, they seem to have panicked. They moved the ownership of the RubyGems repository to their own organization, and they seem to have removed the access of maintainers who did not work for (or have a formal contract with) Ruby Central.

Some of those maintainers posted their displeasure, and the socialverse did what is supposed to do, overreacting and inflaming the situation.

I have to stress, this is all supposition, based on culling through other people’s posts.

It is clear that Ruby Central botched their handling of this. It shouldn’t have come down to the wire without having some public consultation, and the takeover of the repository should likewise have been explained as it happened.

But that doesn’t matter. A month from now, this will all be history. But that doesn’t mean we write this off as “geeks don’t communicate well *shrug*.” There’s an important warning buried in all the agita.

Linux powers 96% of the worlds one-million largest servers.

The modern web relies on JavaScript, and JavaScript relies on the NPM repository.

Shopify, Netflix, AirBnB, and many other household names have systems build on Rails. Laravel probably powers more sites than Rails.

This is all open source software, maintained by and large by unpaid volunteers.

These people are dedicated and largely unthanked. They put in hour after hour, adding features and fixing bugs. In a very real sense, these people keep the modern world running.

These people would never dream of adding malicious code to their projects.

But what happens if they decide it just isn’t worth it? Or what if the various foundations who are the stewards of larger open source projects accidentally mess things up?

What happens if the open source framework on which we build our palaces of code starts to rot? Do you have insurance? Because the open source model will change.

Open Source Insurance

Here are some things you can do to mitigate your exposure to these types of issue:

Do You Really Need It?

Before adding a dependency to your project, ask if you really need it.

Sometimes the thing your are adding is so trivial, you might as well just implement it yourself. The left_pad fiasco of 2016 is a great example. It was literally a dozen or so lines of code that left-padded a string, and yet thousands of projects decided to add it as a dependency rather than write it themselves. Then the developer deleted his code, and projects the world over stopped building.

Sometimes you add a dependency because it lets you do something cool: fancy UI affordances are a great example. Does the customer really need the functionality?

Do You Really Need All of It?

Ruby on Rails is a proud, large, monolith. A brand new Rails app installs over 700 dependencies, which means your project is depending on 700 separate projects over which you have no control or insight.

Sometimes you need the whole thing. But quite often, you can get by with smaller and more targeted libraries.

This isn’t just a Rails issue. If anything, front end JavaScript frameworks are even worse, often starting out with literally thousands of installed libraries.

Do You Have It in Version Control?

NPM suddenly goes dark. Ruby Central runs out of money and shuts down Gems. What happens the next time you check out your project to make a change and npm or bundle install 404s?

Maybe it’s time to run a local mirror of the stuff you use, or add your installed libraries to your project’s repo.

Is This Really Necessary?

Do I think that any major library repository will just vanish? No, I don’t.

But, it is still a possibility. And if that happens, will your project survive? Insurance is always a hard sell, but it’s often a prudent purchase.

And…

It is well past the time where we should have come up with a fair and transparent way of dealing with the burden of developing and maintaining the software that underlies our whole world.

Seems to me that open source contributions are a proof of work, and are a more worthy basis of value than some cryptographic bit juggling. Maybe there’s a new cryptocurrency lurking in there. Just sayin’.

Share

Leave a comment